ClawHub

MLX TTS

v0.0.3

Text-To-Speech with MLX (Apple Silicon) and opensource models (default QWen3-TTS) locally.

0· 1.1k·2 current·2 all-time
by@guoqiao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (local TTS on Apple Silicon) aligns with the included scripts which call a local 'mlx_audio' tool and ffmpeg. Requiring brew is reasonable. However, the skill installs an external tool ('mlx-audio') and pulls models by name at runtime — this is consistent with the purpose but worth noting because it requires downloading third-party code and potentially large model weights.
Instruction Scope
Runtime instructions are narrowly scoped: run install.sh and mlx-tts.sh which produce a local audio file and return its path. The scripts do not read unrelated system files or request credentials. They do, however, execute commands that fetch and run external code and download models (the model string is passed to the tool), which is within the TTS goal but expands the attack surface.
!
Install Mechanism
No formal install spec in registry; install.sh uses brew and then runs 'uv tool install --force "mlx-audio" --prerelease=allow'. That command force-installs a pre-release third-party tool from the network without provenance. Installing remote/unverified code and pre-release packages increases risk — the install will write code to disk and enable execution of code not present in the registry.
Credentials
The skill does not request environment variables, credentials, or config paths. It only requires brew (and will install uv and ffmpeg). There are no obvious requests for unrelated secrets or system configuration.
!
Persistence & Privilege
The skill is marked always:true, meaning it will be force-included in every agent run. There is no clear justification for always:true for a user-invoked TTS utility. Combined with the installer behavior (downloading and installing a third-party tool), this increases the blast radius if the tool or package supply chain is malicious or compromised.
What to consider before installing
This skill likely does what it says (generates local TTS) but it will download and install a third‑party tool ('mlx-audio') as a pre-release package and downloads models at runtime. Key things to consider before installing: 1) always:true is set unnecessarily — disable or remove that unless you understand why it must be always-present; 2) inspect the sources for the 'uv' tool and the 'mlx-audio' package (where does 'uv' fetch from?), and prefer signed/official releases rather than forced pre-release installs; 3) run the install in a sandbox/VM or an isolated macOS user account and review what gets written to disk; 4) be prepared for large network and disk usage when models are downloaded; 5) if you cannot verify the upstream repositories or the package provenance, avoid enabling the skill on machines with sensitive data. If you want to proceed safely, run install.sh manually, audit installed files, and avoid granting broader privileges.

Like a lobster shell, security has layers — review code before you run it.

Apple Siliconvk97000bggm8dydxk17e531n4jx80w34bMac minivk97000bggm8dydxk17e531n4jx80w34bMacBookvk97000bggm8dydxk17e531n4jx80w34blatestvk97000bggm8dydxk17e531n4jx80w34bmacOSvk97000bggm8dydxk17e531n4jx80w34bmlxvk97000bggm8dydxk17e531n4jx80w34bmlx-audiovk97000bggm8dydxk17e531n4jx80w34btext-to-audiovk97000bggm8dydxk17e531n4jx80w34btext-to-speechvk97000bggm8dydxk17e531n4jx80w34bttsvk97000bggm8dydxk17e531n4jx80w34b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis
OSmacOS
Binsbrew

Comments