ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Xiaomi MiMo-V2-TTS

v1.0.0

Converts text to speech using Xiaomi MiMo-V2-TTS with support for emotional styles, Chinese dialects, role voices, and singing synthesis.

0· 95·0 current·0 all-time
by@ddpie
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, SKILL.md, and script all implement Xiaomi MiMo V2 TTS and only require an API key and an output path, which is coherent with the stated purpose. However, registry metadata lists no required environment variables/primary credential while both SKILL.md and the script require a MIMO_API_KEY (or --api-key). This metadata mismatch is unexpected and should be corrected/clarified.
Instruction Scope
Runtime instructions and the script stay within TTS scope: they call api.xiaomimimo.com, accept style/speed/format, and write audio to a local output path. The agent is not instructed to read unrelated files, system state, or transmit data to other endpoints.
Install Mechanism
There is no formal install spec (instruction-only), but the script will attempt to pip-install the 'requests' package at runtime if missing. That triggers network downloads and execution of pip; it's common but increases runtime behavior compared with a pure instruction-only skill and should be noted.
!
Credentials
The only secret the script uses is the MiMo API key (MIMO_API_KEY), which is appropriate for an API-backed TTS. The concern is the registry metadata claiming 'no required env vars' while the SKILL.md/script require an API key — this inconsistency could mislead users into installing without providing credentials and reduces transparency.
Persistence & Privilege
The skill does not request persistent/always-enabled privileges and does not modify other skills or global agent configuration. It runs on invocation and writes only the requested audio output file.
What to consider before installing
This skill appears to implement the advertised Xiaomi MiMo TTS and only needs a MiMo API key and the ability to write the chosen output file. Before installing: (1) be aware the registry metadata omits the required MIMO_API_KEY — you will need to provide that credential (env var or CLI). (2) The script will auto-install 'requests' with pip if missing (network download at runtime). If you trust the Xiaomi MiMo service and the package source (PyPI), this is reasonable; otherwise verify the API domain (api.xiaomimimo.com), consider running the script in a sandboxed environment, and avoid exposing broader credentials. If you need higher assurance, ask the publisher to fix the registry metadata and provide a signed release or vetted install instructions.

Like a lobster shell, security has layers — review code before you run it.

latestvk9711e2nd7589p4pcb13stwk8583fm72

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments