ClawHub

Smart Speak Multilingual TTS (Jaskies)

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill appears to be a coherent multilingual text-to-speech helper, with ordinary setup, external-service, and file-output considerations rather than evidence of malicious behavior.

This skill looks reasonable for generating multilingual MP3 audio. Before installing, use trusted package sources for ffmpeg and edge-tts, verify the hard-coded edge-tts path works on your machine, choose a safe output file path, and avoid sending confidential text to the external TTS service.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing the prerequisites can change the local system or Python environment and depends on the package sources being trustworthy.

Why it was flagged

The skill asks users to install system and Python packages from external package sources; this is expected for the TTS/merging purpose but is not represented in an install spec or pinned dependency list.

Skill content
sudo apt update && sudo apt install -y ffmpeg

# Cài đặt edge-tts
python3 -m pip install edge-tts
Recommendation

Install only from trusted repositories, consider using a Python virtual environment, and prefer declared/pinned dependencies in future versions.

#ASI05: Unexpected Code Execution
Low
What this means

The skill may fail on other machines or run whatever executable exists at that path if present.

Why it was flagged

The script executes a local edge-tts binary from a hard-coded user-home path. Running a local TTS binary is purpose-aligned, but the hard-coded path makes the runtime depend on local state outside the artifact.

Skill content
edge_tts_path = "/home/jackie_chen_phong/.local/bin/edge-tts"
cmd = [
    edge_tts_path,
    "--voice", voice,
    "--text", text,
    "--write-media", temp_file
]
Recommendation

Verify the edge-tts binary location before use; maintainers should prefer a declared dependency or configurable/PATH-based binary lookup.

#ASI02: Tool Misuse and Exploitation
Low
What this means

A mistaken or overly broad output path could replace an existing accessible file.

Why it was flagged

The script passes the caller-supplied output path to ffmpeg with -y, which overwrites an existing file at that path if the process has permission.

Skill content
ffmpeg_cmd = [
    "ffmpeg", "-y", "-f", "concat", "-safe", "0",
    "-i", concat_file_path,
    "-c", "copy",
    args.output
]
Recommendation

Use a dedicated workspace output path, avoid protected or important files, and consider adding no-clobber or confirmation behavior before overwriting.

#ASI07: Insecure Inter-Agent Communication
Low
What this means

Private or sensitive text used for speech generation may leave the local machine as part of the TTS process.

Why it was flagged

User-provided segment text is passed to edge-tts for speech generation; SKILL.md describes edge-tts as Microsoft Edge TTS, so the text may be handled by that external provider.

Skill content
"--text", text,
"--write-media", temp_file
Recommendation

Do not synthesize secrets or confidential text unless the user is comfortable with the provider’s handling of that content; document the external data flow clearly.