Zvukogram
PassAudited by ClawScan on May 1, 2026.
Overview
The skill matches its text-to-speech purpose, with expected cautions that it uses Zvukogram credentials, sends requested text to Zvukogram, and can run ffmpeg for audio merging.
This appears safe to use for its stated TTS purpose if you are comfortable sending the selected text to Zvukogram. Store the API token/email securely, avoid converting sensitive documents unless permitted, monitor any paid balance usage, and use the merge helper only with trusted files and a confirmed output path.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can spend tokens or reveal account status through the Zvukogram account tied to the provided credentials.
The skill explicitly requires a Zvukogram API token and account email, which is expected for the integration but gives the skill authority to use that account.
requires:\n env: [ZVUKOGRAM_TOKEN, ZVUKOGRAM_EMAIL]\n credentials: [zvukogram_api]
Use a dedicated or revocable API token, avoid hardcoding real credentials in shared scripts, and monitor the account balance.
Any text or file content converted to speech is sent to Zvukogram for processing.
The TTS script posts the user's text plus account credentials to the external Zvukogram API, which is central to the stated purpose but important for privacy.
API_BASE = "https://zvukogram.com/index.php?r=api" ... data = {"token": token, "email": email, "voice": voice, "text": text, ...}Do not send confidential or regulated text unless you are comfortable with Zvukogram processing it under your account.
Merging audio will run ffmpeg locally and can overwrite the chosen output file.
The merge helper invokes a local ffmpeg process and uses -y to overwrite the output file; this is purpose-aligned for audio merging but still local command execution.
cmd = ["ffmpeg", "-y", "-f", "concat", "-safe", "0", "-i", str(list_file), "-acodec", "copy", output]
Run merging only on trusted audio paths, install ffmpeg from a trusted source, and confirm the output path before invoking the merge command.
Users have less upstream provenance information to verify the publisher or project history.
The registry metadata provides limited provenance and no install spec; this is not suspicious by itself because the helper scripts are included and user-invoked.
Source: unknown\nHomepage: none\nInstall specifications: No install spec — this is an instruction-only skill.
Review the included scripts before use and prefer a registry entry with a clear homepage/source if provenance matters for your environment.