Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Voice Broadcast
v1.0.0语音播报控制技能。将AI回复内容转换为语音朗读。触发方式:(1)用户说"朗读"时,自动将AI最后一条文字回复转为语音;(2)用户说"开启语音播报"时,之后所有回复自动朗读;(3)用户说"静音"时,暂停语音播报。用于:用户(尤其是iOS用户)希望通过语音方式接收信息,或双手不便时通过TTS播放回复内容。
⭐ 0· 87·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (voice broadcast/TTS for replies) matches the instructions to parse commands, use a TTS tool, and send audio. However SKILL.md requires sending voice via Feishu (飞书) but the skill does not declare any Feishu credentials or environment variables; that omission is unexpected unless the platform itself provides a built-in Feishu tool.
Instruction Scope
Instructions read/write /workspace/memory/voice_state.json (reasonable for local state) and call a 'tts' tool then send audio via Feishu. Two problematic behavioral items: (1) the skill forces broadcasting of 'urgent' clinical/critical content and explicitly ignores mute, which overrides user preferences and can leak sensitive info; (2) it says the TTS tool will auto-send audio and set textual reply empty, which is a side-effect that may be surprising and could hide textual context or logging. The SKILL.md gives the agent broad discretion to decide 'urgent'—this is vague and risky.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk. Nothing is downloaded or written beyond the declared workspace state file.
Credentials
No environment variables or credentials are requested. That is reasonable if the platform provides built-in 'tts' and Feishu tools, but inconsistent if Feishu sending requires tokens: sending messages to a channel usually needs credentials (e.g., Feishu bot token) which are not declared. The skill does not request any unrelated secrets or system paths.
Persistence & Privilege
The skill writes a small persistent state file under /workspace/memory/voice_state.json to track auto/mute flags — this is proportionate for its function. always:false and normal invocation settings are appropriate. It does not request system-wide privileges or modify other skills.
What to consider before installing
Before installing, confirm the platform's environment: does it provide a built-in 'tts' tool and Feishu integration so no credentials are needed? If not, ask the author which credentials/config are required and why they weren't declared. Decide whether you accept the 'urgent content forced broadcast' behavior — this will override mute and could expose sensitive information. Verify where /workspace/memory/voice_state.json is stored and whether other skills or users can read it. Test the skill in a restricted environment first and request the author to add explicit handling for 'urgent' rules (e.g., a configurable whitelist) and to declare any required credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97ewj1h8zjw3qxy66h5fnqfj183bq9x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.