Alicloud Ai Audio Tts
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its text-to-speech purpose, but its helper script can redirect credentialed DashScope API calls to a request-selected base URL.
Review before installing. Use only trusted request JSON, do not set `base_url` except to known Alibaba DashScope endpoints, provide the API key through a controlled environment, pin the `dashscope` package if possible, and delete local output files if the source text is sensitive.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted or mistaken request could send an authenticated TTS call, including the API key and text, to an unintended endpoint instead of Alibaba DashScope.
The request can override the SDK API base URL while the script supplies the user's DashScope API key to the SDK call; no endpoint allowlist is shown.
dashscope.base_http_api_url = req.get(
"base_url", "https://dashscope.aliyuncs.com/api/v1"
)
...
api_key=os.getenv("DASHSCOPE_API_KEY")Remove user-controlled `base_url` or restrict it to an explicit allowlist of Alibaba DashScope endpoints, and require clear user approval for any regional endpoint change.
Installing the latest package may change behavior over time or inherit package-index supply-chain risk.
The skill instructs installing the provider SDK without a pinned version or lockfile; this is purpose-aligned but leaves dependency provenance and version behavior less reproducible.
python -m pip install dashscope
Install in a virtual environment, pin a known-good `dashscope` version, and verify the package source before use.
Text submitted for speech generation may remain in local output or cache files after the task finishes.
The instructions disclose local retention of request payloads and possible caching keyed by text, which is useful for evidence/cost control but may store sensitive text.
Save generated audio links, sample audio files, and request payloads to `output/alicloud-ai-audio-tts/`. ... Cache by `(text, voice, language_type)` to avoid repeat costs.
Avoid sending highly sensitive text unless appropriate, and clear the output/cache directory when the generated evidence is no longer needed.