ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

mmVoiceMaker

v1.0.1

Enables voice synthesis, voice cloning, voice design, and audio post-processing using MiniMax Voice API and FFmpeg. Use when converting text to speech, creat...

3· 651·0 current·0 all-time
byHaolan He@blue-coconut
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (MiniMax TTS + FFmpeg) match the included code and docs: the code implements TTS, cloning, design, and FFmpeg-based audio processing. However, the registry metadata claims no required environment variables or credentials while both SKILL.md and the code clearly require MINIMAX_VOICE_API_KEY (and optionally MINIMAX_API_BASE). That metadata omission is an incoherence: someone implementing this skill legitimately needs the API key and FFmpeg, so the declared metadata is incorrect or incomplete.
Instruction Scope
Runtime instructions tell the agent to run check_environment.py, create and validate segments.json, save intermediate and final audio files under the agent's current working directory, and to contact the MiniMax API. The instructions therefore require filesystem write access in the agent's cwd and network access to api.minimaxi.com. Nothing in the instructions directs broad or unrelated data collection, but the agent will create potentially many temp files (./audio/tmp/) and is told to persist temp files until the user confirms — be careful to run in a safe directory and review produced files before deleting.
Install Mechanism
There is no external install step or remote download in the skill bundle — the Python source files are included in the package. That reduces supply-chain risk relative to arbitrary remote installs. The code expects typical Python dependencies (requests, websockets) and FFmpeg, but there is no automatic installer; the user/agent must install those separately.
!
Credentials
Although the registry lists no required env vars, both SKILL.md and check_environment.py require MINIMAX_VOICE_API_KEY (and support MINIMAX_API_BASE). The skill will read that environment variable and use it to authenticate to the MiniMax API. This mismatch between declared and actual required credentials is a material inconsistency and should be resolved before use. Aside from the API key and FFmpeg, no unrelated credentials are requested.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. It does write temporary and output audio files into the agent's working directory and suggests manual cleanup (rm -rf ./audio/tmp/). That file-writing behavior is expected for audio production but means you should avoid running it from sensitive system directories and confirm file locations before running destructive cleanup commands.
What to consider before installing
Key things to consider before installing/use: - Metadata mismatch: the registry claims 'no required env vars' but the skill and its check script require MINIMAX_VOICE_API_KEY (and optionally MINIMAX_API_BASE). Do not proceed without confirming where that API key comes from and what permissions it has. - Network calls: the code will call https://api.minimaxi.com (or whatever MINIMAX_API_BASE you set). Verify the API provider is legitimate and that sending audio and transcripts to it matches your privacy policy. - Run checks in a safe workspace: follow the instructions to run python check_environment.py and run the CLI from an isolated folder or container so the tool's temp files (./audio/tmp/) cannot overwrite important data. - Review included code if you can: because the package includes Python scripts, inspect scripts/ for any unexpected endpoints, logging of secrets, or upload routines before providing your API key. - If unsure, run in an isolated environment (VM/container) and/or provide a least-privilege API key (if provider supports scoping) or a test account. Resolve the metadata inconsistency with the skill author (who/what is the MiniMax service and why were required env vars omitted) before trusting it with sensitive inputs.

Like a lobster shell, security has layers — review code before you run it.

latestvk979an72xzszf6kw3nw7ze46hn82hyb7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments