Volcengine TTS to TOS Agent
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: day253-volcengine-agent-tts-to-tos Version: 1.0.0 The skill provides a legitimate utility for synthesizing speech using Volcengine TTS and uploading the resulting audio to Volcengine Object Storage (TOS). The Python script (scripts/tts_to_tos.py) follows the documented workflow, using official SDKs and API endpoints (openspeech.bytedance.com) with standard environment variable authentication, and contains no evidence of malicious intent, data exfiltration, or unauthorized execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Text and audio may be processed and stored outside the local machine, and anyone with the presigned URL can access the generated audio until it expires.
The main workflow sends the user's text to an external TTS API, uploads the resulting audio to object storage, and creates a temporary access URL. This matches the stated purpose but is externally visible cloud activity.
resp = requests.post(TTS_API_URL, json=body, headers=headers, timeout=60) ... client.put_object(bucket, key, content=audio_bytes, content_type=content_type) ... client.pre_signed_url("GET", bucket, key, expires=expires)Use this only for text you are comfortable sending to Volcengine/TOS, choose a short expiry, and verify the target bucket and key prefix before running it.
If broad cloud credentials are provided, the skill may have more storage authority than needed for a single generated audio upload.
The script authenticates with Volcengine/TOS access keys to create objects and presigned URLs. This is necessary for the integration, but the authority depends on the scope of the supplied keys.
ak = os.environ.get("VOLCENGINE_ACCESS_KEY", "") ... sk = os.environ.get("VOLCENGINE_SECRET_KEY", "") ... return tos.TosClientV2(ak, sk, endpoint, region)Use least-privilege credentials limited to the intended bucket and required operations, and avoid using broad account-level keys where possible.
Dependency behavior may vary over time or across environments if package versions are not pinned.
The setup instructions rely on installing unpinned Python packages. This is normal for a Python tool but leaves package version and provenance to the user's environment.
`pip install requests tos`
Install dependencies in a virtual environment and consider pinning known-good versions of requests and tos.