ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Smart Speak Multilingual TTS

v1.0.0

Multilingual Text-to-Speech (TTS) with intelligent Pinyin-to-Hanzi conversion. Use when the user asks to generate audio for text that contains a mix of Vietn...

0· 173·0 current·0 all-time
byTrần Anh Vũ@jaskies
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims 'Intelligent Pinyin Conversion' and automatic language segmentation, but the included Python script does not implement any Pinyin detection or conversion — it simply expects a JSON array of segments. Additionally, the SKILL.md and script hardcode absolute paths tied to a specific user (/home/jackie_chen_phong and /home/jackie_chen_phong/.local/bin/edge-tts), which is unrelated to the TTS algorithmic claim and suggests poor packaging or a mismatch between author environment and expected runtime.
!
Instruction Scope
SKILL.md instructs the agent to detect Pinyin, convert to Hanzi, strip emojis, and segment text before calling the script. Those preprocessing steps are not present in scripts/smart_speak.py, so the agent (or integrator) must perform them itself. The instructions also require using an absolute workspace path and assume edge-tts exists at a hardcoded user path — both grant broad assumptions about the host filesystem and agent behavior that are outside the skill's stated purpose.
Install Mechanism
There is no install spec (instruction-only with a bundled script). That is low-risk in general, but the script depends on external binaries (edge-tts and ffmpeg) without providing installation instructions. The script assumes edge-tts is at a specific user location, which is brittle and may hide unauthorized dependency expectations if blindly executed.
!
Credentials
The manifest declares no credentials or env vars (good), but the SKILL.md and script hardcode a particular user's home and local binary path. Requesting or assuming access to a specific home directory is disproportionate and possibly inappropriate for a generic skill; it could cause accidental access to user-specific data or failures if that path doesn't exist.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does execute local binaries (edge-tts, ffmpeg) and writes output to disk within the workspace, which is expected for a TTS merging utility.
What to consider before installing
This skill is suspicious because its documentation promises automatic Pinyin→Hanzi conversion and segmentation, but the included script only synthesizes audio for segments you must supply. Before installing or running: (1) ask the author to clarify where Pinyin detection/conversion is implemented or provide the code; (2) do not run the script as-is if it references another user's home (/home/jackie_chen_phong) — update paths to your workspace; (3) ensure edge-tts and ffmpeg are installed from trustworthy sources and update the script to point to their correct locations; (4) when invoking the script, avoid interpolating raw JSON into a shell command (prefer passing arguments safely) to prevent injection; and (5) inspect and test the script in an isolated environment first. If the author cannot justify the hardcoded paths or provide the missing conversion logic, treat the package as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk978rbg1v7fc5rtpdyy8t75jsh82r8wq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments