Back to skill
Skillv0.1.0
ClawScan security
coze-voice-gen · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 4, 2026, 12:09 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated TTS/ASR purpose and require only npx to run, but it omits details about dependency installation and how the SDK is authenticated — verify those before use.
- Guidance
- This skill appears to do exactly what it says: run local TypeScript scripts to send audio to Coze's SDK for TTS or ASR and print results. Before installing/use: 1) Confirm how the coze-coding-dev-sdk authenticates (API key, env vars, or config file) and where those credentials must be placed — the SKILL.md does not declare any required keys. 2) Ensure you have the necessary Node/ts-node and the coze SDK installed or understand how npx will resolve them. 3) Remember that uploading local audio or providing URLs will transmit data to Coze's service — do not send sensitive audio unless you trust Coze and your credential configuration. 4) If you need stronger assurance, inspect the SDK's Config implementation (or run the scripts in an isolated environment) to see whether it reads environment variables or local config files and what network endpoints it calls.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md examples, and included scripts (tts.ts, asr.ts) all implement TTS and ASR via the coze-coding-dev-sdk and rely on npx/ts-node to run. There are no unrelated binaries, credentials, or config paths requested.
- Instruction Scope
- noteThe runtime instructions and scripts stay within expected scope: reading a local audio file (when requested), accepting a URL, base64-encoding local audio, and calling the SDK. The scripts print transcriptions or audio URIs to stdout. They transmit audio data to the coze SDK (i.e., to Coze's service) — which is expected for this functionality but important to be aware of.
- Install Mechanism
- noteThere is no install spec. SKILL.md instructs using 'npx ts-node' to run the scripts; that will provide ts-node but the repository doesn't include package.json or explicit installation of the coze-coding-dev-sdk. Users will need to ensure dependencies (coze-coding-dev-sdk and any TS runtime) are available. No downloads from suspicious URLs or archived extracts are present.
- Credentials
- noteThe skill declares no required environment variables, and the scripts do not directly read env vars. However, both scripts instantiate a Config() from coze-coding-dev-sdk — that SDK may require API keys or config (via environment variables, config files, or other host credentials). The lack of declared required credentials/primaryEnv is a transparency gap users should verify against the SDK's docs.
- Persistence & Privilege
- okThe skill does not request always:true or any elevated persistence. It does not attempt to modify other skills or system-wide settings; it only runs as-invoked.