ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Ai Audio Tts Voice Design

v1.0.1

Voice design workflows with Alibaba Cloud Model Studio Qwen TTS VD models. Use when creating custom synthetic voices from text descriptions and using them fo...

0· 675·2 current·2 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description match the instructions and helper script: preparing requests for Alibaba Cloud Qwen TTS voice-design models. However, the package metadata declares no required environment variables or credentials while SKILL.md explicitly asks for DASHSCOPE_API_KEY or a dashscope_api_key in ~/.alibabacloud/credentials — a mismatch between declared requirements and operational instructions.
!
Instruction Scope
SKILL.md stays within voice-design scope (prepare request JSON, validate response, run a minimal read-only check, save outputs). But it explicitly requires an API key (DASHSCOPE_API_KEY) and instructs adding credentials to a user home file; those credentials are not declared in the skill metadata. Instructions also require installing and invoking a pip package (dashscope) which will be executed on the host — this expands the runtime surface beyond what the metadata states.
Install Mechanism
There is no formal install spec (instruction-only), which is low-risk in principle. But SKILL.md instructs creating a venv and running `pip install dashscope`. Installing an externally published Python package at runtime is a moderate risk unless the package provenance is confirmed. The included helper script is small and benign-looking.
!
Credentials
The credential requested in the instructions (DASHSCOPE_API_KEY or dashscope_api_key in ~/.alibabacloud/credentials) is reasonable for calling Alibaba Cloud services, but the skill metadata does not declare any required env vars or primary credential — this omission reduces transparency and is concerning. No other unrelated secrets are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does not modify other skills or system-wide settings in the provided files. Runtime behavior is limited to using a venv and running a small helper script.
What to consider before installing
This skill appears to implement Alibaba Cloud Qwen TTS voice-design flows, but before installing or using it: (1) confirm the maintainers and provenance of the 'dashscope' package — prefer an official Alibaba SDK or an audited package; (2) treat DASHSCOPE_API_KEY as sensitive and only set it in a controlled environment (use a disposable test key if possible); (3) run the helper script in an isolated virtualenv or container and inspect the package contents you pip-install; (4) update or ask the author to correct the skill metadata to declare required env vars and credentials so you can review them up front; (5) avoid saving sensitive production credentials or broad resource identifiers in output evidence files unless necessary. These steps will reduce risk and make the skill's requirements transparent.

Like a lobster shell, security has layers — review code before you run it.

latestvk978fb8t6jne0q5fvf4b7e7ff582qw08

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments