Skillv0.1.0

ClawScan security

Tts Router · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 1:04 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The instructions and requirements are internally consistent with a local Apple‑Silicon TTS/router that pulls models and supports voice cloning, but it includes operations (downloading models, fetching arbitrary URLs, bundling yt-dlp, and recommending pip installs) that carry meaningful security, privacy, and legal risks you should review before installing or exposing it.
Guidance: This skill appears to implement what it claims, but take these precautions before installing or running it: (1) Review the upstream PyPI package source (tts-router) before pip installing — pip installs run arbitrary code. (2) Run the server in an isolated environment (container or dedicated macOS account) and do not bind it to public networks by default; the server can fetch arbitrary URLs and could be used to access internal services. (3) Be aware it bundles or uses yt-dlp to download streaming content and supports cloning voices — this has legal and privacy implications (do not clone voices without consent). (4) If you need private HuggingFace models, supply tokens only when necessary and store them securely; the skill does not declare env var requirements for that. (5) If you plan to integrate it with OpenClaw, check the OpenClaw config file changes carefully. If any of these risks are unacceptable, avoid installing or restrict the runtime environment and network access.
Findings: [no-findings] expected: The static regex scanner had no code files to analyze. That is expected because this is an instruction-only skill; absence of findings is not an indication of safety.

Review Dimensions

Purpose & Capability: okThe name and description (local TTS router, pull models, serve OpenAI-compatible API, voice cloning) match the SKILL.md instructions and examples. Required tools (uv, ffmpeg) and use of HuggingFace model downloads are sensible for this purpose. Minor mismatch: SKILL.md targets macOS Apple Silicon but the registry metadata does not set an OS restriction; this is likely an oversight but not a functional contradiction.
Instruction Scope: concernThe skill's runtime instructions include endpoints that fetch arbitrary external URLs (POST /v1/audio/references/from-url) and note that tts-router "bundles yt-dlp" to extract audio from many sites. That is coherent with voice‑cloning features but creates risk: the server will download and process external content (including potentially large or malicious files), and a server that can fetch arbitrary URLs may be abused to reach internal network resources (SSRF-like risk). The skill also reads/writes user-local paths (~/.cache/huggingface/hub, ~/.openclaw/openclaw.json) — expected but worth noting.
Install Mechanism: noteThis is an instruction-only skill (no install spec supplied). SKILL.md instructs installing a PyPI package (pip install tts-router) or using uvx. Installing third-party packages via pip/brew is normal but executes upstream code on your machine and thus requires trust; the skill does not embed or provide the package source for review.
Credentials: noteNo environment variables or credentials are declared or required. The skill pulls models from HuggingFace Hub (public models need no token; private models do), but the SKILL.md does not mention HuggingFace tokens or how to supply them — this is plausible but worth being aware of. No unrelated secrets are requested.
Persistence & Privilege: okThe skill is not always-enabled, does not request elevated privileges, and does not claim to modify other skills or system-wide settings beyond caching models in the user's home and suggesting edits to ~/.openclaw/openclaw.json for integration. Agent autonomous invocation is allowed (platform default) and not a standalone concern here.