ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Ai Audio Tts Realtime

v1.0.1

Real-time speech synthesis with Alibaba Cloud Model Studio Qwen TTS Realtime models. Use when low-latency interactive speech is required, including instructi...

0· 732·2 current·2 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and the included Python probe script align with realtime TTS via Alibaba Cloud's dashscope SDK and the listed Qwen models — that capability is coherent. However, the package metadata declares no required environment variables while the runtime script requires DASHSCOPE_API_KEY (or credentials file), which is an inconsistency.
!
Instruction Scope
SKILL.md gives reasonable runtime guidance, but the included script will automatically load .env files from the current working dir and the repository root and will read ~/.alibabacloud/credentials to populate DASHSCOPE_API_KEY; this behavior means the skill could pull unrelated secrets from your environment. The script also downloads audio from URLs returned by the service (audio_url) — normally expected, but it will fetch arbitrary URLs provided in responses, which enlarges the network trust surface.
Install Mechanism
No install spec (instruction-only) and only a pip dependency (dashscope) are required. There is no opaque remote download/install mechanism in the skill bundle itself.
!
Credentials
The runtime requires DASHSCOPE_API_KEY (or credentials entry) though the registry metadata lists no required env vars; this mismatch is misleading. Additionally, the script's auto-loading of .env files can expose unrelated environment secrets to the skill if present.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide configs, and is user-invocable. It writes outputs to a user-visible output directory only.
What to consider before installing
This skill generally does what it says (realtime TTS using Alibaba's dashscope SDK), but take these precautions before installing: - Expect to supply DASHSCOPE_API_KEY (or add dashscope_api_key to ~/.alibabacloud/credentials). The skill metadata should have declared this but didn't — treat that as a red flag. - The bundled script will auto-load .env files from the current working directory and the repo root. If you have sensitive secrets in .env, run the probe in a clean/sandboxed environment or remove secrets first. - The script downloads audio from URLs returned by the service. Ensure you trust the dashscope endpoint (default base URL is dashscope.aliyuncs.com) and consider running in a network-restricted environment if you want to limit unexpected external fetches. - Review the script locally before running (it is short and readable). If you proceed, run in a virtualenv, set OUTPUT_DIR to an isolated path, and verify the DASHSCOPE_API_KEY scope/permissions are minimal. - If you maintain the registry entry, update the metadata to declare DASHSCOPE_API_KEY in requires.env and document the .env auto-loading behavior to remove the mismatch.

Like a lobster shell, security has layers — review code before you run it.

latestvk974370qfxaaa37cyw3ep5e2an82qptn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments