Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Chinese Voice Detective Mystery Game
v1.0.1中文语音侦探推理游戏。适用于用户想玩一场沉浸式推理探案的场景:由 LLM 生成包含嫌疑人、线索和真凶的完整案件,玩家通过审讯嫌疑人(支持 ASR 语音或文本输入)、勘察现场、收集证据,最终提出指控并获得评分。支持多音色 TTS 为不同嫌疑人配音,审讯历史自动压缩防止上下文溢出,案件生成后自动验证逻辑自洽性。支持存...
⭐ 1· 191·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Skill 目的(中文语音推理游戏)与实现大体一致: 需要 LLM(案件生成/对话/评分)、TTS(配音)、ASR(语音转文字)。不过注册元数据声明“Required env vars: none”,而脚本与 SKILL.md 都明确依赖 API 密钥(MYSTERY_LLM_API_KEY / IME_MODEL_API_KEY、SENSEAUDIO_API_KEY 等)。注册信息与运行时需求不匹配,降低了透明度。
Instruction Scope
SKILL.md 与运行脚本不完全一致:文档提到 MYSTERY_TTS_API_KEY / MYSTERY_ASR_API_KEY 的回退逻辑,但脚本实际使用/强制要求 SENSEAUDIO_API_KEY(并以此调用 ASR/TTS),LLM key 使用 MYSTERY_LLM_API_KEY 或 IME_MODEL_API_KEY。脚本会:加载 .env(从 skill 目录或当前目录)、向默认第三方端点(models.audiozen.cn, api.senseaudio.cn)发送文本和音频、写入 outputs/ 和 case_report.json。注意这些动作会把玩家语音、转写和推理数据发送到外部服务。
Install Mechanism
无安装脚本或不可信远程下载;这是指令 + Python 脚本包,requirements.txt 列出 openai、requests、python-dotenv。没有可疑的远程 extract/download 操作。
Credentials
所需凭据(LLM 和 SENSEAUDIO API keys)与功能(调用 LLM/ASR/TTS)合理且常见,但存在几个问题:SKILL.md、脚本和 registry 元数据之间对环境变量命名不一致;脚本会加载 .env(可能从当前工作目录读取用户的其他密钥并将它们放入进程环境作为可用凭据);默认服务域名是第三方(audiozen/senseaudio),在没有审查这些服务前不应提供敏感凭证。
Persistence & Privilege
Skill 未请求始终启用 (always=false),也不修改其他 skills 或系统配置。它会在本地写入 outputs/*.mp3 和 case_report.json、支持 --load 读档,这符合游戏用途。
What to consider before installing
Before installing or running: 1) Expect to supply API keys — at minimum an LLM key and a SENSEAUDIO (TTS/ASR) key. Verify which exact env names you will set (script expects MYSTERY_LLM_API_KEY or IME_MODEL_API_KEY, and SENSEAUDIO_API_KEY) because SKILL.md and code differ. 2) Review and confirm the default endpoints (https://models.audiozen.cn and https://api.senseaudio.cn). If you don't trust those providers, change the environment variables to point to a provider you control or run with --no-asr/--no-tts to avoid audio network calls. 3) Run the script in an isolated environment (no sensitive .env in cwd) since it will load .env and may pick up other tokens. 4) Inspect outputs/ and case_report.json for any personal data before sharing. 5) If you need higher assurance, request the author to: declare required env vars in registry metadata, align SKILL.md with code (consistent env names), and document the privacy policy of the external endpoints; or modify the code to use a vetted provider or a local LLM/TTS/ASR.Like a lobster shell, security has layers — review code before you run it.
asrvk97a4affw2jfsk2f6px8zz78jd831ckbchinesevk97a4affw2jfsk2f6px8zz78jd831ckbdetectivevk97a4affw2jfsk2f6px8zz78jd831ckbgamevk97a4affw2jfsk2f6px8zz78jd831ckbinteractivevk97a4affw2jfsk2f6px8zz78jd831ckblatestvk976bfa0e885nkth8knrkky6t9833sk9ttsvk97a4affw2jfsk2f6px8zz78jd831ckb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.