ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Whisper Piper Voice

v1.0.0

Set up and run a local voice pipeline combining Whisper STT (speech-to-text) and Piper TTS (text-to-speech) as a single HTTP server. Use when asked to set up...

0· 52·0 current·0 all-time
by@danielgrobelny
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, SKILL.md, setup guide, and the included Python script all align: faster-whisper for STT, a Piper binary and ONNX voice model for TTS, and ffmpeg to produce Ogg/Opus output. Required downloads (GitHub releases, Hugging Face) and package installs are consistent with delivering a local offline pipeline.
Instruction Scope
Runtime instructions are focused on installing models/binaries, creating a venv, and running the bundled server. They also provide a systemd example to persist the service. The instructions do not request secrets or unrelated system access. However, the default server listens on 0.0.0.0 and no authentication or access control is documented; that is a security/operational concern (exposes the service to network access).
Install Mechanism
There is no automated install spec; installation is manual via documented commands. Downloads are from GitHub releases and Hugging Face (well-known hosts). No obscure or shortener URLs and no archive extraction from unknown servers beyond those legitimate sources.
Credentials
The skill requests no environment variables or credentials. The code and instructions do not attempt to read secrets or unrelated config paths. Required artifacts (piper binary, ONNX voice file, ffmpeg, faster-whisper) are appropriate for the stated functionality.
Persistence & Privilege
The SKILL.md/setup guide suggests enabling a systemd service for auto-start, which is a reasonable convenience for a local server. The skill does not set always:true and does not modify other skills. Still, running the server as a persistent service that binds to 0.0.0.0 increases attack surface; advise running as an unprivileged user and exposing only the intended interfaces.
Assessment
This skill appears to do what it claims, but take these precautions before installing and running the server: 1) By default the server binds 0.0.0.0 and has no authentication — restrict it to localhost or put it behind a reverse proxy with auth (or firewall rules) if you will expose it on a network. 2) Run the service as an unprivileged user (as in the systemd example) and avoid running as root. 3) Verify downloaded artifacts (piper binary and voice models) come from the official project pages/releases and review license terms for model use. 4) Consider rate-limiting or network controls; the server spawns subprocesses (piper, ffmpeg) for each request and has no built-in quotas, so untrusted input or heavy traffic could exhaust resources. 5) If you need remote access, add TLS and authentication (reverse proxy or API key) — do not expose the plain HTTP endpoints to the open internet.

Like a lobster shell, security has layers — review code before you run it.

latestvk979m9t9fknkwcd2n9nnk4fk6183g56v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments