Kokoro TTS
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward text-to-speech skill, but any text it speaks is sent to the configured Kokoro server, which may be remote.
This skill is reasonable to install if you trust the Kokoro endpoint you configure. Prefer the local default or a trusted remote server, avoid speaking highly sensitive text through untrusted services, and ensure Node.js is available before using it.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive text spoken through this skill could be visible to the configured Kokoro server operator if a remote endpoint is used.
The user-provided text is sent to the configured TTS endpoint. This is expected for the skill, but if KOKORO_API_URL points to a remote server, the text leaves the local machine.
const API_URL = process.env.KOKORO_API_URL || 'http://localhost:8880/v1/audio/speech'; ... fetch(API_URL, { method: 'POST', ... body: JSON.stringify({ input: text, voice: voice, speed: speed, ... }) })Use the default local endpoint or another trusted endpoint, prefer secure transport for remote servers, and avoid sending secrets or private content to untrusted TTS services.
Installation or invocation may fail if Node.js is not available, and users may not notice the optional endpoint configuration from metadata alone.
The skill documentation depends on a Node.js command and optional environment configuration, while the registry metadata declares no required binaries or environment variables. This is a minor packaging/metadata gap, not hidden behavior.
The skill uses the `KOKORO_API_URL` environment variable ... node skills/kokoro-tts/scripts/tts.js "<text>" [voice] [speed]
Document Node.js as a runtime requirement and declare KOKORO_API_URL as an optional configuration variable in the registry metadata.