ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Cosyvoice Voice Design

v1.0.0

Use when designing custom voices with Alibaba Cloud Model Studio CosyVoice customization models, especially cosyvoice-v3.5-plus or cosyvoice-v3.5-flash, from...

0· 3·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, SKILL.md, references, and helper script all consistently target Alibaba Cloud CosyVoice voice-design enrollment. Requiring an Alibaba Cloud API key (DASHSCOPE_API_KEY or ~/.alibabacloud/credentials) is appropriate for this purpose — however the registry metadata declares no required environment variables or primary credential, which is inconsistent.
Instruction Scope
The SKILL.md instructs building a JSON enrollment request, validating the helper script, and saving outputs under output/aliyun-cosyvoice-voice-design/. It lists only the Aliyun endpoints. This scope is narrowly focused on CosyVoice design, but it explicitly instructs saving voice_prompt and preview_text to local evidence files (possible sensitive user text), which users should be aware of.
Install Mechanism
No install spec — instruction-only plus a small helper Python script. Nothing is downloaded or written by an installer, which is low risk.
!
Credentials
SKILL.md requires DASHSCOPE_API_KEY or credentials in ~/.alibabacloud/credentials to call the Dashscope endpoints, which is proportionate to the stated purpose. But the skill's declared metadata lists no required env vars or primary credential — a clear mismatch. The helper script itself does not read credentials, so it's unclear when/how the credentials are used; the omission reduces transparency and is a risk.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent or elevated platform privileges and does not modify other skills' configs. The helper script writes files only under a local output path.
What to consider before installing
This skill looks like a focused helper for creating Alibaba Cloud CosyVoice enrollment requests, but there are a few things to check before installing or running it: - Ask the publisher to update the package metadata to declare DASHSCOPE_API_KEY (or equivalent) as a required credential so you know what will be needed and why. The SKILL.md currently says to set DASHSCOPE_API_KEY or use ~/.alibabacloud/credentials, but the registry lists no env vars. - Confirm how and when your API key will be used. The helper script only prepares JSON; it doesn't call the network itself — ensure your agent or other tooling will call the listed Dashscope endpoints and that those calls are limited in scope (least privilege API key). - Be aware the skill instructs saving the provided voice_prompt and preview_text to output/aliyun-cosyvoice-voice-design/. Do not include secrets or sensitive PII in those fields if you care about privacy. - If you will run this in an automated agent, review how the agent invokes the skill and whether request/response artifacts are uploaded or transmitted elsewhere. If you need higher assurance, run the included Python script locally, inspect the generated JSON, and only provide an API key with minimal permissions for voice enrollment before using it in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk972p1bkveme6c8vq8as3va13x840ymf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Category: provider

Model Studio CosyVoice Voice Design

Use the CosyVoice voice enrollment API to create designed voices from a natural-language voice description.

Critical model names

Use model="voice-enrollment" and one of these target_model values:

  • cosyvoice-v3.5-plus
  • cosyvoice-v3.5-flash
  • cosyvoice-v3-plus
  • cosyvoice-v3-flash

Recommended default in this repo:

  • target_model="cosyvoice-v3.5-plus"

Region and compatibility

  • cosyvoice-v3.5-plus and cosyvoice-v3.5-flash are available only in China mainland deployment mode (Beijing endpoint).
  • In international deployment mode (Singapore endpoint), cosyvoice-v3-plus and cosyvoice-v3-flash do not support voice clone/design.
  • The target_model must match the later speech synthesis model.

Endpoint

  • Domestic: https://dashscope.aliyuncs.com/api/v1/services/audio/tts/customization
  • International: https://dashscope-intl.aliyuncs.com/api/v1/services/audio/tts/customization

Prerequisites

  • Set DASHSCOPE_API_KEY in your environment, or add dashscope_api_key to ~/.alibabacloud/credentials.

Normalized interface (cosyvoice.voice_design)

Request

  • model (string, optional): fixed to voice-enrollment
  • target_model (string, optional): default cosyvoice-v3.5-plus
  • prefix (string, required): letters/digits only, max 10 chars
  • voice_prompt (string, required): max 500 chars, Chinese or English only
  • preview_text (string, required): max 200 chars, Chinese or English
  • language_hints (array[string], optional): zh or en, and should match preview_text
  • sample_rate (int, optional): e.g. 24000
  • response_format (string, optional): e.g. wav

Response

  • voice_id (string)
  • request_id (string)
  • status (string, optional)

Operational guidance

  • Keep voice_prompt concrete: timbre, age range, pace, emotion, articulation, and scenario.
  • If language_hints is used, it should match the language of preview_text.
  • Designed voice names include a -vd- marker in the generated backend naming convention.

Local helper script

Prepare a normalized request JSON:

python skills/ai/audio/aliyun-cosyvoice-voice-design/scripts/prepare_cosyvoice_design_request.py \
  --target-model cosyvoice-v3.5-plus \
  --prefix announcer \
  --voice-prompt "沉稳的中年男性播音员,低沉有磁性,语速平稳,吐字清晰。" \
  --preview-text "各位听众朋友,大家好,欢迎收听晚间新闻。" \
  --language-hint zh

Validation

mkdir -p output/aliyun-cosyvoice-voice-design
for f in skills/ai/audio/aliyun-cosyvoice-voice-design/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/aliyun-cosyvoice-voice-design/validate.txt

Pass criteria: command exits 0 and output/aliyun-cosyvoice-voice-design/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/aliyun-cosyvoice-voice-design/.
  • Include target_model, prefix, voice_prompt, and preview_text in the evidence file.

References

  • references/api_reference.md
  • references/sources.md

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…