Alicloud Ai Audio Tts Voice Clone
PassAudited by ClawScan on May 1, 2026.
Overview
The skill’s artifacts match a disclosed Alibaba Cloud voice-cloning workflow, with expected notes around credentials, SDK setup, and stored voice-clone outputs.
Install the SDK in an isolated environment, configure only the Alibaba Cloud credentials needed for this task, use voice samples only with clear consent, and review or clean up the output directory because it may contain sensitive voice-cloning data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can help create synthetic speech in a cloned voice, so users should only use authorized voice samples and text.
The skill enables provider-side voice cloning and synthesis, which is a high-impact capability, but the purpose is clearly disclosed and the instructions include consent guidance.
Use voice cloning models to replicate timbre from enrollment audio samples. ... Respect consent and policy requirements for cloned voices.
Confirm consent from the speaker and review generated audio before sharing or publishing it.
Using the skill may consume Alibaba Cloud resources and operate under the permissions of the configured API key.
The skill needs Alibaba/DashScope account credentials for its provider workflow; registry metadata lists no primary credential, so users should notice this requirement.
Set `DASHSCOPE_API_KEY` in your environment, or add `dashscope_api_key` to `~/.alibabacloud/credentials`.
Use a least-privilege API key where possible and do not install or run the skill with unrelated credentials.
The installed SDK version may change over time and inherits trust in the package source.
The setup step installs an unpinned provider SDK package. It is user-directed and central to the skill purpose, but package version and provenance are not pinned in the artifact.
python -m pip install dashscope
Install in a virtual environment, consider pinning a known-good `dashscope` version, and use trusted package indexes.
Local output files may reveal the text to synthesize, the voice sample location, and related voice-clone workflow data.
The helper stores the requested text and voice-sample reference in a local JSON file, creating persistent artifacts that may contain sensitive voice-cloning inputs.
req = {"text": args.text, "voice_sample": args.voice_sample, "stream": bool(args.stream)} ... out.write_text(json.dumps(req, ensure_ascii=False, indent=2), encoding="utf-8")Treat the output directory as sensitive, avoid storing private sample URLs unnecessarily, and delete artifacts when no longer needed.