Chattts
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do its advertised TTS job, but it sends the supplied text to a configured/default HTTP ChatTTS endpoint and has minor endpoint metadata issues.
This looks safe for its stated purpose if you intend to use a ChatTTS server. Before installing or using it, set CHATTTS_API_URL to a server you control or trust, do not send sensitive text to an untrusted HTTP endpoint, and be aware that the registry metadata currently labels the endpoint configuration incorrectly.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Text sent for speech synthesis may be visible to the configured/default ChatTTS server or anyone able to observe that HTTP connection.
The script posts the user-supplied text payload to an HTTP ChatTTS API endpoint; this is necessary for TTS generation but means the endpoint receives the text.
const apiUrl = process.env.CHATTTS_API_URL || 'http://172.23.252.114:8020'; ... body: JSON.stringify(payload)
Use a trusted local/private ChatTTS server, set CHATTTS_API_URL explicitly, and avoid sending sensitive text to an endpoint you do not control.
Users may not know the author's provenance or how to configure the endpoint from registry metadata alone, and may unintentionally use the hard-coded default endpoint.
The publisher provenance is limited and the registry metadata treats a URL as an env var/credential instead of declaring the actual CHATTTS_API_URL configuration.
Source: unknown; Homepage: none; Required env vars: http://172.23.252.114:8020; Env var declarations: none; Primary credential: http://172.23.252.114:8020
Inspect the included script before use, install only if you trust the publisher, and prefer corrected metadata that declares CHATTTS_API_URL as endpoint configuration rather than a credential.