Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Dependencies (pymupdf for PDF parsing, edge-tts for TTS, ffmpeg for silence/concat) are appropriate for the stated purpose. Requiring edge-tts and ffmpeg is coherent. The SKILL.md install metadata includes pip packages that match runtime needs.
Instruction Scope
SKILL.md promises extracting "only the English part" from each line, but the implemented regex (re.match(r'^([a-zA-Z].*)$')) will capture the entire line starting with a letter — including trailing Chinese — so the code does not actually strip translations as described. Also the script falls back to a hardcoded directory '/root/.openclaw/media/inbound' when no PDF path is supplied; that is an internal path and may give the skill access to files placed in agent/system-owned locations. These two issues are scope mismatches between the spec and the implementation and can lead to surprising behavior or data exposure.
Install Mechanism
This is an instruction-only skill with no external download URLs or extract steps. The SKILL.md lists pip packages (edge-tts, pymupdf) which align with the code. No high-risk installers or remote archives are used.
Credentials
The skill requests no environment variables or credentials, which is appropriate. However, it defaults to reading from a specific internal path (/root/.openclaw/media/inbound) if no PDF is provided — this implicit file access could expose internal files if users don't explicitly pass a path.
Persistence & Privilege
The skill does not request permanent/autonomous enrollment (always:false) and does not modify other skills or system settings. It runs as a one-off script and uses temporary directories for intermediate work; final outputs are written to /tmp by default.
What to consider before installing
This skill is mostly coherent for generating TTS from a PDF, but two issues deserve attention before installing: (1) The code uses a hardcoded fallback directory (/root/.openclaw/media/inbound) when you don't pass a PDF path — if you don't want the skill to read agent/internal files, always invoke it with an explicit PDF path. (2) The extraction regex does not actually strip Chinese translations as the documentation states, which may produce mixed-language audio. If you plan to use it, run it in an isolated environment first, verify the outputs on sample PDFs, and consider patching the extraction logic (e.g., capture only [A-Za-z ]+ at line start or split on non‑ASCII) and changing the default inbound path to a safer location. Also ensure edge-tts and ffmpeg are installed from trusted sources.Like a lobster shell, security has layers — review code before you run it.
latestvk97e0rv2h29dbp4fpd4tx2qtgd83j79g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📚 Clawdis
Binsedge-tts, ffmpeg