Skillv1.0.0

ClawScan security

WaveSpeedAI MiniMax Speech 2.6 TTS · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 3, 2026, 7:28 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (TTS calls to WaveSpeed) is coherent with its description, but the runtime instructions require an API key and reference an npm package while the registry metadata declares no required credentials or install steps and the source/homepage are unknown — this mismatch is suspicious and should be clarified before use.
Guidance: Before installing or using this skill: (1) Confirm the publisher and the legitimacy of wavespeed.ai (or the package author) — the registry metadata has no homepage/source. (2) Ask the publisher to update metadata to declare the required WAVESPEED_API_KEY and any package dependencies, so you know what secrets/dependencies are needed. (3) Inspect or verify the 'wavespeed' npm package (or other client) on the official registry and prefer installing from the official package name and a trusted source. (4) If you must provide an API key, consider creating a limited-scope/test key, not a long-lived production key, and avoid sending sensitive PII through the service. (5) Run in an isolated environment or sandbox first and monitor network calls. (6) If the publisher cannot explain the metadata mismatch or provide a trustworthy source, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: noteThe name/description (text-to-speech via MiniMax Speech 2.6) matches the SKILL.md instructions: example code calls wavespeed.run, parameters are TTS-related, and there is no unrelated functionality. However the SKILL.md references an external 'wavespeed' client library (npm) which is not declared in the registry metadata; otherwise capability is coherent.
Instruction Scope: okRuntime instructions stay within TTS scope: they show how to set an API key, call the WaveSpeed model, configure voice/emotion/format, and handle errors. The instructions do not ask the agent to read unrelated local files or system secrets beyond the API key, nor do they instruct exfiltration to other endpoints. They do call external network services (the WaveSpeed API), which is expected for a TTS integration.
Install Mechanism: noteThis is an instruction-only skill with no install spec and no code files (low install surface). However, the examples import a 'wavespeed' npm package but the skill does not declare that dependency or provide installation instructions — the author may have assumed the package exists. The lack of a declared install/source for that package and unknown source/homepage increases risk: verify the package origin before running code that imports it.
Credentials: concernSKILL.md explicitly instructs users to set WAVESPEED_API_KEY, but the registry metadata lists no required environment variables and no primary credential. This mismatch means the skill silently requires a secret to function even though metadata doesn't declare it. The requested secret (an API key for the external TTS service) is plausible for the skill's purpose, but the missing declaration and unknown publisher/homepage are concerning and should be corrected or explained.
Persistence & Privilege: okThe skill does not request always:true, does not modify system or other skills, and is instruction-only so it does not install persistent components. Default autonomous invocation is allowed (normal for skills) but there are no indications of privileged persistence.