Daily Voice Quote 每日名言語音
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the skill can use the user's ElevenLabs/LINE credentials and send messages to the configured recipient, potentially consuming quota or sending unintended daily messages if misconfigured.
The script requires a LINE bearer token and uses it to push an audio message. This matches the delivery purpose, but it grants messaging authority to the configured LINE bot/channel.
[ -z "$LINE_CHANNEL_ACCESS_TOKEN" ] && missing="$missing LINE_CHANNEL_ACCESS_TOKEN" ... -H "Authorization: Bearer $LINE_CHANNEL_ACCESS_TOKEN"
Use dedicated, least-privilege API keys and a dedicated LINE bot/channel where possible; restrict the LINE recipient ID, keep tokens secret, and revoke or rotate tokens when no longer needed.
Voice, photo, or video likeness data may leave the local workspace and be processed or retained by third-party services.
The setup explicitly sends voice samples and optional face/avatar video to external providers for cloning or training. This is core to the skill, but it involves sensitive biometric likeness data.
主人錄 1-3 分鐘語音 → 上傳到 ElevenLabs Voice Lab ... 主人錄一段 2 分鐘自拍影片 上傳訓練
Only use this with clear consent from the person depicted; review ElevenLabs/HeyGen privacy and retention settings, use dedicated accounts, and delete local samples when they are no longer needed.
Anyone who obtains the media URL may be able to access the generated audio or video until it is removed or access is restricted.
The LINE delivery workflow requires generated audio/video to be reachable through a public HTTPS URL. This is necessary for LINE media delivery, but it can expose the generated voice/video if the URL or bucket is not protected.
來源 | 必須是 HTTPS 公開 URL ... 公開 URL 方案:... ngrok/cloudflare tunnel ... S3/GCS/Cloudflare R2
Use unguessable URLs, short retention periods, private buckets with signed URLs where possible, and avoid hosting generated media in broadly browsable public directories.
Installing the skill may add third-party binaries to the local environment, which carry normal package supply-chain risk.
The skill installs external command-line tools, including sag from a Homebrew tap. These tools are relevant to TTS and media processing, but users must trust their package sources.
brew | formula: steipete/tap/sag ... brew | formula: ffmpeg ... brew | formula: uv
Install from trusted package sources, review the sag tap/formula if desired, keep tools updated, and remove unused binaries.
If the user configures a cron or scheduler, the skill may keep generating media, using API quota, and sending LINE messages each day.
The instructions describe recurring daily automation. This is the stated purpose, and no hidden persistence installer is shown, but scheduled execution can continue until explicitly disabled.
每天早上自動選一則名人名言 ... 每天 cron 執行時自動收集
Configure recurring execution explicitly, document where the schedule is installed, and verify there is an easy way to pause or disable the daily job.