Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Chinese Bedtime Story Generator
v1.0.1生成多角色中文睡前故事并合成语音。适用于用户想为孩子定制个性化睡前故事的场景:根据孩子姓名、年龄和兴趣,由 LLM 创建完整世界观和角色,生成分段故事文本(每段标注说话人),再由 TTS 以不同音色合成旁白、主角、小伙伴和长者的语音,最终拼接为完整 MP3 音频文件。支持连载模式(`--continue`)在多次...
⭐ 1· 171·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose is generating multi-role Chinese bedtime stories and synthesizing them to MP3 — the code implements exactly that (LLM calls to generate JSON story text, per-segment TTS calls, saving outputs). However, the registry metadata declares no required environment variables or primary credential even though the code requires API keys for the LLM and TTS providers. That mismatch (declared none vs. actual required credentials) is a substantive inconsistency that reduces transparency.
Instruction Scope
SKILL.md instructions and the code are largely aligned: they read CLI args, optionally load story_state.json for continuation, call an LLM to create world/segments, call a TTS API per segment, and write files under an outputs/ directory. A small mismatch: SKILL.md says TTS reads STORY_TTS_API_KEY fallback to SENSEAUDIO_API_KEY whereas the code only uses SENSEAUDIO_API_KEY; the SKILL.md also claims LLM key fallback to IME_MODEL_API_KEY which the code implements. The code does not attempt to read unrelated system files beyond optional .env files and the outputs/story_state.json it manages itself.
Install Mechanism
There is no installer/spec; the skill is instruction+script based and provides requirements.txt (openai, requests, python-dotenv). No arbitrary remote downloads or extract operations are specified. This is low-risk from an installation footprint perspective, but it does require installing Python packages.
Credentials
The skill actually requires API keys at runtime (LLM: STORY_LLM_API_KEY or IME_MODEL_API_KEY; TTS: SENSEAUDIO_API_KEY as coded). The registry metadata lists no required env vars or primary credential, which is misleading. The skill will transmit the child's name, age, interests and story text to external LLM/TTS services (defaults: https://models.audiozen.cn and https://api.senseaudio.cn). Requesting those keys is proportionate to the function, but the omission from metadata and the presence of third-party endpoints handling child-identifying data are privacy-relevant and should be made explicit to users.
Persistence & Privilege
always is false and disable-model-invocation is false (normal). The skill writes its own outputs/story_state.json and episode files under an outputs/ directory; it does not request system-wide configuration or modify other skills. No elevated or permanent platform privileges are requested.
What to consider before installing
Before installing or running this skill: (1) be aware it will send the child's name, age, interests and generated story text to external LLM and TTS services (defaults point to models.audiozen.cn and api.senseaudio.cn). Verify you trust those providers and their privacy policies. (2) The registry metadata did not declare the required API keys; you must set environment variables (STORY_LLM_API_KEY or IME_MODEL_API_KEY for the LLM; SENSEAUDIO_API_KEY for TTS) or the script will exit. (3) There is a small mismatch between SKILL.md and the code regarding the TTS key name — inspect or test the script in a sandbox first. (4) If you care about privacy, either use non-identifying test data or host your own LLM/TTS endpoints and set STORY_LLM_BASE_URL / STORY_TTS_URL accordingly. (5) If you need greater assurance, review the full scripts/run_story.py content and the remote endpoints the code calls, or ask the publisher for explicit documentation of required env vars and endpoints.Like a lobster shell, security has layers — review code before you run it.
audiovk974qbr2kpydwzym3686f32rdn830ks1childrenvk974qbr2kpydwzym3686f32rdn830ks1chinesevk974qbr2kpydwzym3686f32rdn830ks1latestvk9780kys7ech07yssdqej740n5832n2vstoryvk974qbr2kpydwzym3686f32rdn830ks1ttsvk974qbr2kpydwzym3686f32rdn830ks1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.