ClawHub

Deapi Audio

v1.0.1

Text-to-speech, voice cloning, voice design, and transcribe audio files via deAPI GPU network. Trigger on 'text to speech', 'TTS', 'generate voice', 'read al...

1· 95·0 current·0 all-time
byAlex Glowacki@aleglowa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, declared dependencies (curl, jq), primaryEnv (DEAPI_API_KEY), API base URL, and the provided scripts all align with a deAPI audio integration. There are no unrelated credentials or binaries requested.
Instruction Scope
SKILL.md and the scripts stay within the audio TTS/STT/voice-clone/design domain. The scripts will download user-supplied audio URLs and upload local files to the deAPI service (expected for this purpose). Note: accepting arbitrary URLs means the skill will fetch external resources (and could access internal URLs if provided), and error logging prints raw API responses in some failure cases (the scripts echo response content to stderr), so those behaviors are expected but worth being aware of.
Install Mechanism
This is an instruction-only skill with bundled shell scripts and no install spec. No remote downloads or package installs are performed by the skill itself, minimizing install-time risk.
Credentials
Only DEAPI_API_KEY is required and is the declared primary credential — appropriate for an API client. The skill also supports a plaintext fallback config.json written to the skill directory to store the API key; storing keys on disk is functional but increases exposure compared with using an environment variable only.
Persistence & Privilege
always:false (no forced inclusion). The skill can be invoked autonomously by the agent (default behavior), which is normal. It does not request system-wide privileges or modify other skills' configs.
Assessment
This skill appears to do what it says, but review and consider these practical risks before installing: - Provide the API key via environment variable (DEAPI_API_KEY) rather than saving it in the skill's config.json if you want less disk-persistent exposure. If you do use config.json be aware the API key is stored in plaintext under the skill directory. - The scripts download user-supplied URLs (ref-audio, audio). Do not provide internal or sensitive endpoints (e.g., http://169.254.x.x, internal cloud metadata endpoints, or private intranet URLs) because the skill will fetch them and may upload content to the external deAPI service. This is an expected capability for remote-audio support but is an SSRF/exfiltration risk if misused. - The scripts log API responses to stderr on some errors; sensitive response payloads could appear in agent logs. Rotate the API key if it's ever exposed. - Voice cloning involves uploading sample audio — consider privacy and legal implications before cloning someone else's voice. If you need stronger guarantees: keep the key in a protected secret store, avoid providing internal URLs as inputs, inspect the scripts locally before use, and monitor/network-restrict the runtime environment if you want to limit outbound fetches.

Like a lobster shell, security has layers — review code before you run it.

audiovk978xgp6tpz8cf0b3dcq8s6d5583jae5latestvk978xgp6tpz8cf0b3dcq8s6d5583jae5speech-to-textvk978xgp6tpz8cf0b3dcq8s6d5583jae5sttvk978xgp6tpz8cf0b3dcq8s6d5583jae5text-to-speechvk978xgp6tpz8cf0b3dcq8s6d5583jae5transcriptionvk978xgp6tpz8cf0b3dcq8s6d5583jae5ttsvk978xgp6tpz8cf0b3dcq8s6d5583jae5voice-clonevk978xgp6tpz8cf0b3dcq8s6d5583jae5whispervk978xgp6tpz8cf0b3dcq8s6d5583jae5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, jq
EnvDEAPI_API_KEY
Primary envDEAPI_API_KEY

Comments