ClawHub

Alicloud Ai Audio Cosyvoice Voice Design

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Alibaba Cloud CosyVoice request helper with normal API-key and local-output privacy considerations.

Install only if you are comfortable using Alibaba Cloud/DashScope credentials for CosyVoice. Treat DASHSCOPE_API_KEY and any credentials file as sensitive, and avoid putting private, regulated, or proprietary content in voice prompts or preview text unless you are comfortable with those values being saved in local output artifacts and sent to the provider when you submit the request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to place an API key in environment variables or a credentials file without any warning about secret sensitivity, least-privilege handling, or avoiding logging/exfiltration. In practice, this can lead to credentials being stored insecurely, exposed in shared environments, or accidentally captured in transcripts and artifacts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill tells users to save request contents and API response summaries, including voice prompts and preview text, without warning that those fields may contain sensitive, personal, or identifying information. Because this skill designs custom voices, the stored content can reveal biometric-adjacent preferences, identity cues, or proprietary text, increasing privacy and data-retention risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal