Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
qwen-audio-lab
v0.0.1Hybrid text-to-speech, reusable voice cloning, and narrated audio generation for macOS plus Aliyun Qwen. Use when the user wants to convert text into speech,...
⭐ 0· 147·0 current·0 all-time
by@aliyx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (macOS + Aliyun Qwen TTS, voice cloning, narrated PPTs) matches what the code and SKILL.md implement: local 'say' playback, Qwen TTS calls, voice cloning/design endpoints, and local storage of outputs and remembered voices. However, the registry metadata lists no required environment variables or primary credential while both SKILL.md and the code require DASHSCOPE_API_KEY — this metadata omission is an incoherence to be aware of.
Instruction Scope
The SKILL.md instructions and the included script remain focused on TTS/voice workflows. They reference only task-relevant files/paths (user home ~/.openclaw/data/qwen-audio-lab for outputs/state), optional ffmpeg for trimming, and network calls to DashScope (Aliyun) APIs. There is no instruction to read unrelated system files, shell history, or to exfiltrate arbitrary data.
Install Mechanism
This is an instruction-only skill with an included Python script and no install spec; nothing is downloaded from external URLs during install. Runtime will execute local scripts and may call external network endpoints. No archive downloads or remote installers were specified.
Credentials
The code and SKILL.md require DASHSCOPE_API_KEY (plus optional QWEN_AUDIO_REGION, QWEN_AUDIO_OUTPUT_DIR, QWEN_AUDIO_STATE_DIR), but the registry metadata declared no required env vars or primary credential. This mismatch is concerning because the skill needs an API key to access remote TTS/voice-cloning services; the package should declare that requirement explicitly. Aside from the missing declaration, the environment access requested by the script (API key + optional dirs) is proportionate to the stated purpose.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global configs. It writes state and outputs under ~/.openclaw/data/qwen-audio-lab (its own directory) which is normal for persistent skill state.
What to consider before installing
What to consider before installing:
- The skill does what it claims (local macOS 'say' + remote Qwen/DashScope TTS and voice-clone). However, the package metadata did NOT declare the required DASHSCOPE_API_KEY even though SKILL.md and the script require it — treat that as a red flag (metadata should match runtime requirements).
- The script will make network calls to DashScope endpoints (https://dashscope.aliyuncs.com and https://dashscope-intl.aliyuncs.com). Only provide an API key if you trust the endpoint and the skill source.
- The skill stores outputs and remembered-voice state under ~/.openclaw/data/qwen-audio-lab; verify you are comfortable with that directory being created/written.
- For some operations (audio trimming) ffmpeg is required, and local playback uses macOS 'say' — these are normal but will invoke subprocesses.
- Voice cloning can have legal/consent implications. The SKILL.md recommends asking for permission; you should enforce that policy yourself before cloning third-party voices.
- Because the skill source is 'unknown' and the registry metadata is inconsistent, prefer to inspect the full script locally (ensure the truncated portion contains only TTS/manage-voice logic) or obtain the skill from a trusted publisher before supplying credentials. If you proceed, limit the scope/permissions of the API key (if possible) and monitor network activity.Like a lobster shell, security has layers — review code before you run it.
latestvk97693aaer1yyn13vbnrnm9x4h8361hw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.