rupali
v1.0.0Playful virtual girlfriend voice companion. Use when the user wants short, flirty, friendly text replies returned as Bulbul v3 audio across chat channels (Discord/Telegram/WhatsApp). Generate a brief response, then synthesize and send MP3.
⭐ 0· 800·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (virtual girlfriend TTS) match the included script and SKILL.md: the Python script calls Sarvam's TTS endpoint to produce MP3s using a 'rupali' speaker. This capability is coherent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to generate a short reply, run scripts/bulbul_tts.py to synthesize audio, and send the MP3 back to the requesting chat channel. The instructions also require a SARVAM_API_KEY environment variable (explicitly in SKILL.md and enforced by the script). There are no instructions to read unrelated files or exfiltrate data, but the instructions will send user-provided text to an external service (api.sarvam.ai).
Install Mechanism
There is no install spec (instruction-only), which limits disk writes. The bundle includes a Python script that uses the requests library; the skill does not declare this dependency, so runtime may fail or implicitly require installing third-party Python packages. Network access to api.sarvam.ai is required.
Credentials
The code and SKILL.md require SARVAM_API_KEY, but the registry metadata lists no required env vars or primary credential — this is an inconsistency. Requiring a single TTS API key is plausible, but the missing declaration and lack of guidance about required scopes or least-privilege are concerning.
Persistence & Privilege
No 'always: true', no system-level config paths requested, and the skill does not request elevated persistence. Autonomous invocation is allowed by default (disable-model-invocation is false) which is normal; there are no apparent privilege escalation behaviors in the files provided.
What to consider before installing
Key things to check before installing or enabling this skill:
- The script requires SARVAM_API_KEY (used as 'api-subscription-key') but the registry metadata did not declare any required env vars — confirm this and update metadata before trusting the skill.
- The skill will send every synthesized text to api.sarvam.ai; do not send sensitive or personal data (passwords, private messages, PII) because it will be transmitted to the TTS provider.
- Verify the Sarvam service (https://api.sarvam.ai) is legitimate and that the API key can be scoped or revoked; prefer creating a limited key for this purpose.
- The bundle uses Python's requests library but does not declare dependencies or an install step — ensure the runtime environment has required packages, or run the code in an isolated sandbox.
- The skill source and homepage are unknown; prefer skills with a verifiable author, homepage, or source repo. If you must use it, run in a restricted account/container and monitor network requests and API key usage.
- Ask the author (or require an updated package) to: declare SARVAM_API_KEY in registry metadata, list required Python deps, and document what data is sent to the TTS API and retention policy.
If you cannot verify these points, treat the skill as untrusted and avoid providing real user/private data to it.Like a lobster shell, security has layers — review code before you run it.
latestvk9719hmskg9t3hb3e8j84n583980wqzt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.