ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Qwen Tts

v1.0.0

Use when generating human-like speech audio with Model Studio DashScope Qwen TTS models (qwen3-tts-flash, qwen3-tts-instruct-flash). Use when converting text...

0· 36·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description, SKILL.md, and the Python script all align: this is a DashScope (Alibaba) Qwen TTS client. However the registry metadata lists no required environment variables or primary credential while the instructions and script require DASHSCOPE_API_KEY (or credentials from ~/.alibabacloud/credentials). That mismatch is an incoherence the user should be aware of.
Instruction Scope
Runtime instructions and the script stay within TTS functionality (compose request, call DashScope API, download audio, save outputs). The script intentionally reads .env files in cwd and in the repo root and will read ~/.alibabacloud/credentials (and honor ALIBABA_CLOUD_PROFILE / ALICLOUD_PROFILE). These file accesses are expected for fetching the API key but are broader than the declared registry requirements.
Install Mechanism
No install spec is embedded (instruction-only skill). SKILL.md recommends installing the 'dashscope' Python SDK via pip in a venv. This is standard, but installing third-party packages carries normal supply-chain risk; the package source should be verified.
!
Credentials
The skill requires an API key (DASHSCOPE_API_KEY) and reads ~/.alibabacloud/credentials and .env files, but the registry metadata declares no required env vars or primary credential. It also uses OUTPUT_DIR and honors ALIBABA_CLOUD_PROFILE / ALICLOUD_PROFILE implicitly. Requesting access to local credential files is proportionate to calling the DashScope API, but the missing declaration is a notable inconsistency.
Persistence & Privilege
The skill is not marked 'always: true', does not modify other skills or system-wide config, and relies on explicitly provided credentials. Autonomous invocation is allowed by default but not combined with other high-risk flags here.
What to consider before installing
Before installing or running this skill: (1) Expect to provide a DASHSCOPE_API_KEY — the registry metadata omits this, so confirm you are comfortable supplying that secret. (2) The script will try to read .env files and ~/.alibabacloud/credentials; avoid keeping high-privilege or unrelated secrets in those files or run the skill in a sandbox. (3) If you must install the 'dashscope' Python package, install it in an isolated venv and verify the package source (PyPI or vendor site). (4) Prefer creating a dedicated DashScope API key with minimal scope for TTS usage, and rotate/revoke it if you stop using the skill. (5) If you need higher assurance, review the included generate_tts.py yourself or run the skill in a controlled environment (no sensitive credentials present) to observe its network calls and output.

Like a lobster shell, security has layers — review code before you run it.

latestvk9712rk1a27an2av7f6g9xmbdd841c2q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments