Skillv0.1.6

ClawScan security

Dub YouTube with Voice.ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:46 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it says (TTS dubbing via Voice.ai) and requests a single Voice.ai API key, but there are multiple documentation/metadata inconsistencies and placeholder endpoints that warrant caution before running with real credentials or video files.
Guidance: This skill largely matches its stated purpose (turning scripts into TTS and optionally muxing into video). However: 1) the registry metadata claims no required env vars while the SKILL.md, YAML and reference docs require VOICE_AI_API_KEY — that's an inconsistency you should resolve. 2) The docs and YAML point to a non-production base URL (https://dev.voice.ai) and troubleshooting notes that production endpoints may be placeholders — prefer running in --mock mode first. 3) The README/SKILL.md contain contradictory statements about .env handling; the safest assumption is the script reads only the VOICE_AI_API_KEY environment variable. 4) Because the implementation is a bundled Node script (voiceai-vo.cjs), inspect the top of that file for hard-coded endpoints or unexpected remote hosts before using a real API key. Recommended steps before installing or running with real credentials: - Test with --mock to produce outputs locally without network calls. - Review voiceai-vo.cjs for any network calls and confirm they go to the expected Voice.ai API host. - Run the tool in an isolated environment (container or VM) and/or monitor outbound network requests (or set VOICEAI_API_BASE to a controlled proxy) to ensure no unexpected exfiltration. - Prefer obtaining a key from an official Voice.ai dashboard and do not use unrelated elevated credentials. If you cannot verify the endpoints and credential usage in the bundled script, treat this package with caution.

Review Dimensions

Purpose & Capability: noteThe code and documentation implement a Node CLI that renders text to audio and (optionally) muxes it into video using ffmpeg — this is coherent with the stated purpose. However the registry metadata lists no required environment variable while SKILL.md and other files declare VOICE_AI_API_KEY as required; the skill's YAML and reference docs point to a 'dev.voice.ai' base URL (a non-production host). These mismatches reduce confidence in the packaging/authoring.
Instruction Scope: noteSKILL.md states only script text is sent to Voice.ai and that video files are processed locally — which is appropriate for a dubbing tool. But the documentation contains contradictory statements about credentials (.env support vs. 'does not read .env files') and troubleshooting warns that 'production API endpoints' are not configured and to use --mock mode. The runtime instructions grant the CLI discretion to call API endpoints (and allow overriding base URL via VOICEAI_API_BASE), so confirm endpoints and credential usage before running.
Install Mechanism: okNo install spec; the skill is a single bundled Node script (voiceai-vo.cjs) and optionally uses ffmpeg on PATH. There are no downloads or archive extracts in the manifest, so install risk is low. The bundled script is large (bundled deps), so review is required but the packaging itself is not suspicious.
Credentials: noteRequesting a single VOICE_AI_API_KEY is proportionate for a TTS integration. However the registry metadata omitted this required env var (incoherent), and the code/docs expose an overridable base URL via VOICEAI_API_BASE. Those inconsistencies mean the declared required-env in the registry cannot be fully trusted without inspection of the bundled script.
Persistence & Privilege: okThe skill does not request permanent presence (always:false) and does not declare modifications to other skills or system-wide settings. It runs as a CLI tool; there is no indication it persists credentials beyond using the provided environment variable.