ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Ai Audio Tts Voice Clone

v1.0.2

Voice cloning workflows with Alibaba Cloud Model Studio Qwen TTS VC models. Use when creating cloned voices from sample audio and synthesizing text with clon...

1· 810·4 current·4 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description describe Alibaba Cloud Qwen TTS voice cloning and the SKILL.md instructs installing a cloud SDK and using an API key or Alibaba credentials, which is coherent for that purpose. However, the registry metadata declares no required environment variables or primary credential while the instructions explicitly require DASHSCOPE_API_KEY or ~/.alibabacloud/credentials — an inconsistency.
Instruction Scope
The SKILL.md stays within the voice-clone scope: it instructs creating a venv, installing a SDK, preparing request JSON, running a read-only connectivity check, performing the operation, and saving outputs. It does not instruct reading unrelated system files or exfiltrating data. The only access outside the skill's domain is the optional ~/.alibabacloud/credentials file (appropriate for cloud credentials).
Install Mechanism
There is no formal install spec in the registry (instruction-only), but SKILL.md requires 'python -m pip install dashscope'. Using pip is typical for Python SDKs, but the package 'dashscope' is not otherwise referenced in metadata and its provenance is unknown here — this is a moderate risk and worth verifying (is it an official Alibaba package or third-party wrapper?).
!
Credentials
The runtime instructions require DASHSCOPE_API_KEY or adding credentials to ~/.alibabacloud/credentials, which is appropriate for calling Alibaba Cloud APIs. However, the skill metadata lists no required env vars or primary credential, creating a missing-declaration problem. The requested secrets themselves (API key or standard Alibaba credentials) are proportional to the stated purpose, but the omission in metadata reduces transparency.
Persistence & Privilege
The skill is instruction-only, has no install spec that writes system files, does not request 'always: true', and does not declare changes to other skills or system-wide config. It asks you to persist voice_id locally (reasonable for reuse) and to save outputs under an output/ path which is expected behavior.
What to consider before installing
This skill appears to implement Alibaba Cloud Qwen TTS voice cloning, but there are a few things to check before installing: (1) The SKILL.md requires an API key (DASHSCOPE_API_KEY) or entries in ~/.alibabacloud/credentials, yet the registry metadata does not declare any required credentials — ask the publisher to add a primaryEnv and list required env vars. (2) The instructions call for pip installing 'dashscope' — verify that 'dashscope' is an official/expected SDK (check PyPI, the maintainer, and project homepage) before installing, and prefer creating an isolated virtualenv as recommended. (3) Confirm you are comfortable providing Alibaba Cloud credentials to any code that will use them and that you have consent for cloning any voice samples. (4) Optionally review the pip package source or run the helper script in a sandbox to inspect behavior. If the publisher clarifies the missing metadata and the dashscope package provenance checks out, the skill's behavior appears coherent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e2y3483rxww6bzc7dtpkngh82q8w0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments