ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

tencent-tts-podcast

v1.0.0

Convert text to podcast audio using Tencent Cloud TTS. Supports both short and long text processing, generates up to 30-minute long audio with automatic chun...

0· 291·2 current·2 all-time
byHertz@islinxu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Tencent TTS → podcast WAV) aligns with the included code (tts_podcast.py + tts_tool.py) and the listed dependencies. However registry metadata earlier claimed no required environment variables while SKILL.md and the code require Tencent Cloud credentials (secret_id and secret_key) as parameters or via environment variables — this mismatch should be resolved/clarified.
!
Instruction Scope
SKILL.md and the example scripts confine actions to: chunking text, calling Tencent TTS API, optionally uploading to COS, and returning/encoding the generated WAV. The code does exactly that. The concern: tts_tool.py attempts to import core.tts_config.get_tts_credentials if available — that means, in some agent runtimes, the skill will call into a platform 'core' module to retrieve credentials from the host environment without that behavior being described in SKILL.md. That is an unexpected expansion of scope and could access stored platform secrets.
Install Mechanism
No install spec is provided (instruction-only), and dependency requirements are listed in requirements.txt. No remote downloads or install scripts that fetch arbitrary code were found. Risk is limited to installing the listed Python packages when you choose to run it locally.
Credentials
The skill legitimately needs Tencent Cloud credentials (SecretId/SecretKey) and optionally COS credentials for uploads; those are proportionate to TTS and uploading outputs. But the registry metadata did not declare required env vars while SKILL.md and code expect credentials as input parameters or environment variables (TENCENT_TTS_SECRET_ID/TENCENT_TTS_SECRET_KEY). Also default COS bucket/app_id values are present (bucket_name: 'ti-aoi', app_id: 1257195185) — if upload is enabled and the user leaves defaults, outputs could be uploaded to an account you did not configure. These mismatches should be noted.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not modify other skills or system-wide settings. It does attempt to import a 'core' config helper (core.tts_config) which, if present, may read platform-managed credentials — this is not a persistence privilege itself but is an elevated attempt to access platform-side secrets and should be considered when installing.
What to consider before installing
What to check before installing/running: - Expect to provide Tencent Cloud SecretId and SecretKey (or set environment variables TENCENT_TTS_SECRET_ID/TENCENT_TTS_SECRET_KEY). The registry metadata did not list these — confirm where you will supply them. - Review the code yourself (tts_podcast.py and tts_tool.py) before supplying credentials. tts_tool will try to import core.tts_config.get_tts_credentials if available; if your agent/runtime has a core module it may return platform-level secrets. If you don't want that, remove/override that import or ensure the core module won't expose secrets. - If enabling COS upload, check the default bucket_name ('ti-aoi') and app_id (1257195185). By default upload is disabled, but if enabled and you leave defaults, files might be uploaded to someone else's COS account. Prefer supplying your own COS credentials and bucket. - Run with least-privilege credentials: create an API key limited to TTS (and COS only if you enable upload) rather than using broad account keys. - The skill produces WAV files only (no MP3), and dependencies listed are standard (tencentcloud-sdk-python, cos-python-sdk-v5, requests). Install dependencies in a virtualenv or sandbox. - If you want higher assurance, ask the skill author to remove the implicit core.tts_config import or to document when/why it will access platform secrets and to update registry metadata to list required env vars.

Like a lobster shell, security has layers — review code before you run it.

latestvk9754djqhprej6xfc08nszhs2x82mk1q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments