Skillv1.1.6

ClawScan security

Zvukogram · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 29, 2026, 5:00 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it implements a Zvukogram TTS client that only needs an API token and email and calls the documented Zvukogram endpoints; nothing in the files indicates hidden exfiltration or unrelated privilege requests.
Guidance: This skill is coherent and appears to be a straightforward Zvukogram TTS client. Before installing/use: (1) Verify you trust https://zvukogram.com and are comfortable giving your Zvukogram token and account email to the tool; the scripts send them to the official API. (2) If you plan to merge audio, install ffmpeg from a trusted package source — merge.py invokes ffmpeg via subprocess but ffmpeg is not declared as a required binary. (3) Storing the token in ~/.config/zvukogram/config.json is convenient but ensure file permissions are appropriate (restrict to your user). (4) If you need higher assurance, inspect or run the included Python scripts in a sandbox to observe network calls (they use urllib to post to zvukogram.com) and confirm no unexpected endpoints are contacted.

Purpose & Capability: okName/description (Zvukogram TTS) matches the code and docs. Required env vars (ZVUKOGRAM_TOKEN, ZVUKOGRAM_EMAIL) are appropriate for the stated API usage. The scripts call only the documented zvukogram.com API endpoints.
Instruction Scope: okSKILL.md and scripts focus on generating TTS, chunking, merging audio, and checking balance. The runtime instructions read a local config (~/.config/zvukogram/config.json) or environment variables — which is expected for an API client. They do not ask for unrelated files, credentials, or network endpoints.
Install Mechanism: noteThere is no install spec (instruction-only), which is low-risk. The package includes Python scripts that use the stdlib (urllib) and a subprocess call to ffmpeg for merging. The skill does not declare ffmpeg as a required binary, yet examples and merge.py rely on it — a small documentation mismatch (not evidence of maliciousness) that users should note before running merging steps.
Credentials: okOnly two environment credentials are requested (token and email) which are proportionate for an API client. No other secret names, unrelated cloud creds, or system-wide tokens are required.
Persistence & Privilege: okalways: false and the skill does not request to persist or modify other skills or system-wide settings. It only suggests storing credentials in a local config file, which is normal for a client script.