Sherpa ONNX TTS
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent offline text-to-speech skill, but it relies on user-downloaded native archives and references a wrapper not present in the reviewed files.
This appears safe for its stated offline TTS purpose. Before installing, confirm you trust the referenced sherpa-onnx GitHub release, verify downloads if possible, and inspect any wrapper script before running it or adding its directory to PATH.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing it means trusting the referenced upstream archives to provide safe native binaries and models.
The skill depends on downloading and extracting native runtime/model archives from GitHub. This is expected for an offline TTS tool, but the artifact does not show checksum or signature verification.
"kind": "download", "url": "https://github.com/k2-fsa/sherpa-onnx/releases/download/v1.12.23/sherpa-onnx-v1.12.23-linux-x64-shared.tar.bz2", "archive": "tar.bz2", "extract": true
Download only from the expected upstream release, verify checksums or signatures if available, and avoid replacing the URLs with untrusted sources.
The skill may be incomplete as provided, or any wrapper supplied later would need separate review before use.
The reviewed file manifest reports only SKILL.md and no code files, so the referenced wrapper is not present in the supplied artifacts for review.
The wrapper lives in this skill folder. Run it directly, or add the wrapper to PATH:
Inspect any bin/sherpa-onnx-tts wrapper before running it or adding it to PATH.