ClawHub
Back to skill
v1.0.0

Tts

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:53 AM.

Analysis

This appears to be a straightforward text-to-speech helper that uses external TTS APIs and API keys in a disclosed, purpose-aligned way.

GuidanceInstall/use this skill only if you are comfortable sending the requested text to Hume or OpenAI. Store API keys securely, avoid pasting secrets inline when possible, do not provide unused secrets such as HUME_SECRET_KEY unless needed, and write output files to a safe location you intend to share.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
scripts/package.json
"dependencies": { "openai": "^4.0.0", "commander": "^11.0.0" }

The helper relies on external npm packages, while the registry says there is no install spec. The package-lock is present, so this is mainly a setup/provenance note rather than a concrete unsafe behavior.

User impactA user may need to install Node dependencies despite the skill being described as instruction-only.
RecommendationInstall dependencies from the included lockfile where possible and keep install requirements reflected in the registry metadata.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
- **Keys**: Stored in environment as `HUME_API_KEY` and `HUME_SECRET_KEY`... `OPENAI_API_KEY="..." node {baseDir}/scripts/generate_speech.js`

The skill asks for third-party provider credentials. That is expected for Hume/OpenAI TTS, but the registry metadata declares no env vars or primary credential, and users should treat these keys as sensitive.

User impactUsers must provide API credentials for the TTS providers; if handled carelessly, those secrets could be exposed in command history, logs, or transcripts.
RecommendationDeclare the required credentials in metadata, prefer pre-set environment variables or a secret manager, and do not provide HUME_SECRET_KEY unless it is actually required.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/generate_hume_speech.js
await fetch('https://api.hume.ai/v0/tts', { ... body: JSON.stringify({ utterances: [ { text: options.text, voice: { id: options.voice } } ] }) })

The helper sends the requested text to Hume’s external TTS API. This matches the skill’s purpose, but it means message content leaves the local environment.

User impactText submitted for speech generation may be processed by Hume or, when using the legacy script, OpenAI.
RecommendationOnly use the skill for text you are comfortable sending to the selected TTS provider, and review the provider’s data handling terms for sensitive content.