Inworld TTS
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: inworld-tts Version: 1.0.0 The skill bundle is benign, providing text-to-speech functionality via the Inworld.ai API as described. The `SKILL.md` documentation offers clear, non-manipulative instructions for the AI agent and user, including standard API key setup. The `scripts/tts.sh` script safely constructs JSON payloads using `jq -Rs .` to prevent injection, and securely transmits the user-provided text and API key (from environment variables) only to the legitimate Inworld.ai API endpoint. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts beyond the skill's stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may need to manually verify the included script and setup requirements before relying on the skill.
The registry metadata has limited provenance and does not declare the credential/dependency setup that the included SKILL.md documents. This is a transparency note rather than hidden behavior.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; Required env vars: none
Review the visible script before chmod or symlinking it, and prefer metadata that declares INWORLD_API_KEY plus curl, jq, and base64 requirements.
Anyone who can read or use that environment variable may be able to make Inworld API calls under the user's account or consume quota.
The skill requires an Inworld API credential and suggests optional persistent storage. This is expected for the stated TTS integration but is still credential-sensitive.
Generate key with "Voices: Read" permission ... export INWORLD_API_KEY="your-base64-key-here" ... For persistence, add to `~/.bashrc` or `~/.clawdbot/.env`.
Use the narrowest available key scope, store the key only where trusted local processes can access it, and rotate the key if it is exposed.
Text submitted for speech synthesis leaves the local environment and is shared with Inworld.ai.
The caller-provided text is placed in the request payload and sent to Inworld's API. This third-party provider flow is necessary for the skill's purpose and is disclosed.
"text": $(echo "$TEXT" | jq -Rs .) ... --url "https://api.inworld.ai/tts/v1/voice" ... --data "$PAYLOAD"
Avoid sending confidential text unless the user is comfortable with Inworld.ai processing it under their account and data policies.