ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Voice.ai Voices

v1.1.5

High-quality voice synthesis with 9 personas, 11 languages, and streaming using Voice.ai API.

0· 2.5k·7 current·7 all-time
byNick Gill@gizmogremlin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill name/description (Voice.ai TTS) matches the bundled Node.js CLI and SDK and the single required environment variable (VOICE_AI_API_KEY). One minor oddity: the documentation repeatedly refers to https://dev.voice.ai as the "official production API domain" — unusual naming but self-consistent within the package.
Instruction Scope
SKILL.md instructs the agent to set VOICE_AI_API_KEY, run the CLI, reads voices.json, and write output files. The runtime instructions and code only perform those actions and make HTTPS requests to the declared API domain.
Install Mechanism
No install spec is provided (instruction-only install); the package bundles the SDK and CLI JavaScript files. It requires Node.js, which is reasonable for a Node CLI/SDK and does not pull arbitrary external binaries or download code at runtime.
Credentials
Only one credential (VOICE_AI_API_KEY) is required and used as a Bearer token for API calls. There are no other secrets, config paths, or unrelated environment variables requested.
Persistence & Privilege
The skill does not request always:true, does not claim background/persistent execution, and does not modify system or other skill configurations. It writes only the declared audio output file.
Assessment
This skill appears internally consistent: it bundles a Node.js CLI/SDK that uses a single VOICE_AI_API_KEY to call the declared HTTPS API and writes audio output locally. Before installing, verify the vendor/source (check the GitHub repo URL in package.json), confirm that https://dev.voice.ai is the correct production endpoint for your use, and treat your VOICE_AI_API_KEY like any secret (store securely, use least-privilege keys if available, and rotate the key if you suspect leakage). If you want extra assurance, inspect or run the CLI in an isolated environment and monitor outbound network requests to confirm they go only to the expected domain.

Like a lobster shell, security has layers — review code before you run it.

latestvk970wxr0escrwxk1ymya1d4dkx819dks

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎙️ Clawdis
Binsnode
EnvVOICE_AI_API_KEY
Primary envVOICE_AI_API_KEY

Comments