ClawHub
Back to skill
v1.0.1

Ressemble TTS e STT

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:00 AM.

Analysis

This skill appears to do what it claims—send text or audio to Resemble AI for speech generation/transcription—but users should notice the external API and API-key requirements.

GuidanceThis appears safe for its stated TTS/STT purpose. Before installing, make sure you are comfortable sending the selected text/audio to Resemble AI, provide the API key only in a controlled environment, and note that curl, jq, and base64 are required even though the registry metadata does not list them.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
It uses direct HTTP calls to Resemble's production endpoints and supports asynchronous transcription polling.

The skill clearly discloses that it contacts Resemble AI over HTTP; this is expected for TTS/STT, but user text and audio may leave the local environment.

User impactText submitted for speech generation and audio submitted for transcription are sent to Resemble AI.
RecommendationUse this only with audio/text you are comfortable sending to Resemble AI, and confirm the provider's data-handling terms for sensitive content.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
ressemble-stt.md
requires:
      bins: ["curl", "jq", "base64"]
      env: ["RESEMBLE_API_KEY"]

The included skill file declares required binaries and an API key, while the registry-level requirements list no required binaries or environment variables. This is an under-declared setup requirement rather than evidence of hidden behavior.

User impactInstallation or invocation may fail unless curl, jq, base64, and RESEMBLE_API_KEY are available, even though the registry summary says no requirements.
RecommendationBefore installing, verify that the declared command-line tools are present and that the API key requirement is acceptable.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
ressemble-tts.md
env: ["RESEMBLE_API_KEY"]
    primaryEnv: "RESEMBLE_API_KEY"

The skill requires a Resemble API key for provider access. This is purpose-aligned, but it grants delegated access to the user's Resemble account.

User impactAnyone or any agent process with access to the environment variable may be able to make Resemble API calls under the user's account.
RecommendationUse a dedicated/limited API key if available, avoid exposing the environment variable in logs, and rotate the key if it may have been shared.