ClawHub

bailian-tts

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for generating TTS audio, but users should knowingly install the global npm CLI and protect the Bailian API key and any text sent to the service.

This appears safe for its stated purpose if you intend to use Alibaba Bailian TTS. Before installing, verify the @hackerpl/bailian-cli npm package, use a protected Bailian API key, and do not send sensitive text for speech generation unless you are comfortable with it being processed by the external service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing the CLI gives that npm package code a place in the user's global command environment.

Why it was flagged

The skill depends on a globally installed, unpinned npm CLI package. This is central to the stated TTS purpose and is disclosed, but global npm installs can add persistent executables and should be verified before use.

Skill content
npm i -g @hackerpl/bailian-cli
Recommendation

Verify the npm package and maintainer before installing, consider pinning a known-good version, and install it only when the user agrees.

#
ASI03: Identity and Privilege Abuse
Low
What this means

The CLI can use the configured Bailian account key, which may consume quota or incur provider-side usage.

Why it was flagged

The skill uses a Bailian API key to call the TTS service. This is expected for the integration, and the artifacts do not show hardcoded keys or credential logging.

Skill content
Check `BAILIAN_API_KEY`
Recommendation

Use a least-privileged API key if available, avoid sharing the key, and rotate it if it is exposed.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

Text submitted for speech generation may be transmitted to the external Bailian TTS service.

Why it was flagged

The skill acknowledges that text is sent externally for TTS generation and instructs confirmation for sensitive text. This is purpose-aligned but important for users to understand.

Skill content
Respect user privacy: do not upload sensitive text externally without explicit confirmation.
Recommendation

Confirm before sending private, regulated, or confidential text to the provider, and use a scoped output directory for generated audio.