小米 TTS Proxy

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local Xiaomi text-to-speech proxy, with expected credential and FFmpeg use, but users should protect the API key file.

Install only if you are comfortable sending TTS input text to Xiaomi or your configured upstream proxy. Store ~/.openclaw/tts-proxy.env with restrictive permissions such as chmod 600, do not commit or share it, rotate the API key if exposed, and review any systemd service you create before enabling background startup.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs users to place a live Xiaomi API key in a predictable local file under ~/.openclaw without any guidance to restrict permissions, avoid committing it, or use a secret store. If that file is readable by other local users, backup agents, or accidentally exposed in logs/repos, the key can be stolen and used to consume quota or access the upstream service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal