ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Indextts Voice

v1.2.1

IndexTTS 语音克隆和合成技能 - 创建声音模型、文本转语音、参考音频管理(需要企业会员)

0· 32·0 current·0 all-time
by@cxhcccvvvsder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, README, SKILL.md and scripts implement IndexTTS TTS/model management functionality and require an IndexTTS enterprise API sign — that matches the stated purpose. However, the registry-level metadata you provided earlier lists no required environment variables/credentials while the included SKILL.md and clawhub.json declare INDEX_API_SIGN as required. This mismatch is an incoherence between what the package announces in the registry and what it actually needs.
Instruction Scope
SKILL.md instructs the agent/user to set INDEX_API_SIGN and INDEX_BASE_URL, install requests, and run the included Python script to upload local audio files and call IndexTTS endpoints — all within the stated TTS/voice-clone scope. The script reads local audio files and uploads them (expected for model creation/reference upload). A minor issue: validate_config() prints error messages referencing LIPVOICE_API_SIGN / LIPVOICE_BASE_URL (likely a copy-paste/rename bug), which is confusing but not evidently malicious.
Install Mechanism
No install spec is provided (instruction-only plus a Python script). Dependency is only the requests library (pip). This is proportionate and low-risk compared to downloads from arbitrary URLs or executable installers.
Credentials
The only secret required in the code is INDEX_API_SIGN (plus optional INDEX_BASE_URL) which is appropriate for an API client. However, the top-level registry metadata you shared earlier claimed no required env vars while clawhub.json and SKILL.md require INDEX_API_SIGN — this discrepancy should be resolved before trusting automated installs. The skill will transmit the API sign to the IndexTTS endpoints (expected for API usage).
Persistence & Privilege
The skill does not request persistent/always-enabled presence, does not modify other skills, and does not request elevated privileges. It behaves as a normal user-invocable CLI skill.
Scan Findings in Context
[pre_scan_injection_signals] expected: No pre-scan injection signals detected. Network calls and file uploads in the script are expected for a TTS API client.
What to consider before installing
This skill is an IndexTTS CLI client that uploads local audio and calls the IndexTTS API; it requires an IndexTTS enterprise API sign (INDEX_API_SIGN). Before installing: 1) Verify you actually have an IndexTTS enterprise API key and are willing to upload audio to the external service; do not upload sensitive audio. 2) Note the registry metadata mismatch: the published metadata you saw claims no required env vars, but the package (SKILL.md and clawhub.json) requires INDEX_API_SIGN — prefer the latter. 3) The code contains a minor copy/paste bug in error messages (references LIPVOICE_*), which is sloppy but not necessarily malicious; consider reviewing the full script for other inconsistencies. 4) Run the skill in an isolated environment (or inspect/execute the script manually) and do not provide any unrelated secrets. 5) If you need high assurance, obtain the skill from a trusted source or contact the listed repository/author to resolve the metadata mismatch before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9703e7msyhy07syg7qbkwc8ks8445ee

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments