ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Ai Audio Cosyvoice Voice Design

v1.0.0

Use when designing custom voices with Alibaba Cloud Model Studio CosyVoice customization models, especially cosyvoice-v3.5-plus or cosyvoice-v3.5-flash, from...

0· 196·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name, description, endpoints, and helper script all match an Alibaba Cloud CosyVoice voice-design workflow — requesting an API key and calling dashscope endpoints is expected. However, the registry metadata declares no required environment variables or primary credential while SKILL.md explicitly instructs the user to set DASHSCOPE_API_KEY or add a credential to ~/.alibabacloud/credentials. That metadata/instruction mismatch is incoherent and should be corrected.
Instruction Scope
Runtime instructions are focused: prepare a JSON request, optionally validate a response, and save artifacts under an output directory. The SKILL.md references only the CosyVoice endpoints and local paths; it does not instruct the agent to exfiltrate data to third-party endpoints. It does request storing 'evidence' including voice_prompt and preview_text, which may contain user-provided content and should be treated as potentially sensitive.
Install Mechanism
This is an instruction-only skill with one small helper script; there is no install spec and nothing is downloaded or installed. That lowers risk.
!
Credentials
The SKILL.md requires DASHSCOPE_API_KEY or credentials in ~/.alibabacloud/credentials but the skill registry lists no required env vars or primary credential — a mismatch. The helper script also accepts --validate-response which reads an arbitrary local JSON path; if misused it could cause local file disclosure when run by an agent. Requesting a single service API key is proportionate for this purpose, but the registry should declare it and users should provide a scoped (least-privilege) key.
Persistence & Privilege
The skill does not request always:true and is user-invocable; it does not request persistent or elevated platform privileges and does not modify other skills' configs.
What to consider before installing
This skill appears to do what it says (build CosyVoice enrollment requests) but there are a few concerns to address before using it: - The SKILL.md tells you to set DASHSCOPE_API_KEY or add dashscope credentials, but the registry metadata lists no required credentials — treat that as an omission, not a guarantee of safety. Provide a scoped, rotation-ready API key with minimal privileges. - Review the helper script before running. Its --validate-response option reads any local JSON file path you pass: do not point it at sensitive system files. If you run the skill under an agent, confirm the agent will not call the script with attacker-controlled file paths. - Verify the endpoints in SKILL.md (dashscope.aliyuncs.com and dashscope-intl.aliyuncs.com) match official Alibaba Cloud documentation for your region. - Because the skill writes 'evidence' containing your voice_prompt and preview_text to an output directory, avoid including secrets or sensitive PII in those fields. - Consider asking the publisher to update registry metadata to declare DASHSCOPE_API_KEY as a required credential and to document any data storage/retention expectations. If you cannot verify the publisher, run the script locally in an isolated environment and with a least-privilege API key.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cq0ysf8p8y823frmhwsmt0d82qthw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments