Tts
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it says—convert text to an MP3 via Hume or OpenAI—but users should notice the provider API key use, external text processing, and minor metadata/setup gaps.
This skill is reasonable to use if you are comfortable sending the chosen text to Hume or OpenAI. Set only the provider API key you need, avoid providing HUME_SECRET_KEY unless the publisher clarifies why it is required, choose a safe output path, and install dependencies from the included lockfile if setup is needed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may require handling paid-provider API credentials, and the documentation asks for one extra Hume secret that does not appear necessary.
Provider API keys are sensitive account credentials. Their use is purpose-aligned for TTS, but the registry metadata declares no env vars or primary credential, and the documented `HUME_SECRET_KEY` is not used by the provided Hume script.
Keys: Stored in environment as `HUME_API_KEY` and `HUME_SECRET_KEY`.
Declare the needed environment variables in metadata, remove `HUME_SECRET_KEY` from examples unless required, and use scoped or revocable API keys.
Any text converted to speech may be processed by Hume or OpenAI, so confidential content should only be used if the user accepts those providers' terms and data handling.
The selected text is sent to Hume's TTS API. This external provider flow is disclosed and necessary for the skill, but it means user text leaves the local environment.
fetch('https://api.hume.ai/v0/tts', ... body: JSON.stringify({ utterances: [{ text: options.text, voice: { id: options.voice } }] }))Before converting sensitive text, confirm the user is comfortable sending it to the selected TTS provider and avoid including secrets in the text.
The generated audio file could replace a file at the chosen output path.
The script writes the generated audio to an agent/user-supplied path. That is expected for producing an MP3, but a poorly chosen path could overwrite an existing file.
requiredOption('-o, --output <path>', 'Output file path ...'); ... await fs.promises.writeFile(options.output, buffer);Use a dedicated output location and avoid protected or existing files unless overwriting is intended.
Users may need to verify or install dependencies manually and have less provenance information than with a fully declared package source.
The skill includes runnable Node scripts and npm dependency files, but the registry does not provide a clear source/homepage or install spec. The included lockfile mitigates dependency ambiguity, and no automatic install is shown.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Use the included lockfile when installing dependencies, and the publisher should add a source/homepage plus explicit setup requirements.