Bailian TTS
v1.2.0百炼 TTS 语音合成,支持多种音色切换,生成高质量中文语音,需配置百炼 API Key。
⭐ 0· 81·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, SKILL.md, and the included script all describe TTS via 百炼/Dashscope and require an API key — this is coherent. However, the registry metadata did not list the required environment variable (DASHSCOPE_API_KEY), which is inconsistent with the skill's documented needs.
Instruction Scope
Runtime instructions only perform TTS: call the dashscope API with provided text/voice/model and download the returned audio to a local file. The SKILL.md and script do not instruct reading unrelated files or secrets. Note: the code downloads whatever audio URL the API returns without domain validation, which is expected for this use but could be abused if the upstream API returns attacker-controlled URLs.
Install Mechanism
No install spec; SKILL.md suggests installing 'dashscope' and 'requests' via pip. This is a normal, low-risk approach (no arbitrary downloads or unusual install locations).
Credentials
The script and docs require a single API key (DASHSCOPE_API_KEY), which is proportional to the stated purpose. The registry metadata, however, lists no required env vars or primary credential — that mismatch should be corrected so users know the credential will be needed.
Persistence & Privilege
The skill is not always-enabled, does not claim system-wide changes, and doesn't persist beyond its own files. It can be invoked autonomously (default) but that is normal and not excessive here.
Assessment
This skill appears to be a straightforward TTS client for 百炼/Dashscope: it needs a DASHSCOPE_API_KEY (set via env or passed into generate_tts), calls the remote API, then downloads the audio to a file. Before installing, consider: (1) provide a dedicated, limited-scope API key rather than a high-privilege credential; (2) verify the 'dashscope' package on PyPI (or vendor) so you trust the client library; (3) be aware the skill will download whatever audio URL the API returns — if you have strict network or internal-host protections, run it in an isolated environment; (4) the registry metadata should be updated to declare the required DASHSCOPE_API_KEY so users aren't surprised. If you need higher assurance about the upstream service or package provenance, review the dashscope client implementation and the service's docs before use.Like a lobster shell, security has layers — review code before you run it.
alibabavk9706smhn1s5pasaqt08z0cmpx83zn5eaudiovk9706smhn1s5pasaqt08z0cmpx83zn5ebailianvk9706smhn1s5pasaqt08z0cmpx83zn5elatestvk9706smhn1s5pasaqt08z0cmpx83zn5eqwenvk9706smhn1s5pasaqt08z0cmpx83zn5ettsvk9706smhn1s5pasaqt08z0cmpx83zn5e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.