ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

speaker-local

v1.0.0

Text-to-speech using Kokoro local TTS. Use when the user wants to convert text to audio, read aloud, or generate speech.

0· 355·0 current·0 all-time
byVega@babysor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (local TTS via Kokoro) match the instructions: examples and reference describe a CLI kokoro-tts and model files needed to convert text/epub/pdf to audio.
!
Instruction Scope
SKILL.md tells the agent to install kokoro-tts (via 'uv tool install kokoro-tts') and to wget model files from GitHub releases into the working directory. The instructions reference using kokoro-tts, wget, and Python (3.9–3.12) at runtime, but the skill metadata does not declare these requirements. Downloads and saving model binaries to disk are explicitly required and could install/execute third-party code.
Install Mechanism
No install spec in registry metadata, but the instructions call out 'uv tool install kokoro-tts' and direct downloads from GitHub release URLs (github.com/nazdridoy/kokoro-tts/releases/...). GitHub releases are a reasonable host, but 'uv tool install' is an unspecified installer; without knowing what that installer does, there's moderate risk. The downloads are direct model/binary assets (onnx, .bin) — no archive extraction specified.
Credentials
The skill requests no environment variables or credentials, which is appropriate for local TTS. However metadata omission of required runtime tools (kokoro-tts, wget, python) is an inconsistency to address.
Persistence & Privilege
always:false and no declared installs that modify other skills or system-wide config. The skill instructs placing model files in the working directory (normal for local models) but does not request persistent elevated privileges.
What to consider before installing
This skill appears to be a wrapper for the third-party Kokoro TTS CLI and requires downloading model files and installing a tool, but the registry metadata omits those runtime requirements. Before installing or using: 1) verify the kokoro-tts project and release assets on GitHub are the genuine upstream (owner nazdridoy) and inspect release checksums if available; 2) confirm what 'uv tool install kokoro-tts' actually does (review its code or use a manual install) — unknown installers can run arbitrary commands; 3) ensure required runtime binaries (kokoro-tts, Python 3.9–3.12, wget or equivalent) are present and declared in metadata; 4) avoid running installers or executing downloaded model files from untrusted sources; 5) if you need higher assurance, request the skill author add explicit required-binaries and an install spec (or provide vetted package URLs / checksums). If you cannot verify the installer and release assets, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fd2ktzcph9rv1x83vy34w75824s9p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments