Skillv0.1.0

ClawScan security

Lobster Radio – Free Local AI Radio · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 10, 2026, 1:10 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (local TTS-based news radio) mostly matches its files and instructions, but it instructs automatic downloading and execution of third‑party model code (trust_remote_code / HuggingFace/ModelScope downloads) and supports voice‑cloning — which creates a real risk of running untrusted code and privacy misuse; review providers/qwen3_tts.py and install scripts before use and run in an isolated environment.
Guidance: What to check before installing/using this skill: 1) Review providers/qwen3_tts.py and scripts/install.sh before running them. Look for use of trust_remote_code or any code that executes downloaded files or shells out to run remote scripts. If trust_remote_code is enabled, prefer to disable it or run in a sandbox. 2) Run the install and model download in an isolated environment (VM, container, or dedicated machine). Model downloads will fetch files from HuggingFace/ModelScope and some model repos include custom Python code that will run when loaded. 3) Inspect and consider removing or modifying automatic install scripts if you cannot fully trust them. Prefer manual model retrieval from a verified model repo and manual dependency installation. 4) Be cautious with the voice‑cloning feature: it can synthesize voices from short samples. Only supply audio you own or have permission to use. 5) Limit network and filesystem permissions where possible during testing. The skill will store models (~5GB) and generated audio; ensure you are comfortable with those writes and with the skill being added to your OpenClaw workspace. 6) If you need stronger assurance, ask the maintainer for a minimal provider implementation that loads only vetted model code (no trust_remote_code), or use a prebuilt, signed wheel/binary from a trusted source. Reason for 'suspicious': the skill is functionally coherent, but the documented pattern of downloading third‑party model repos and enabling trust_remote_code (i.e., executing remote code) raises non-trivial security and privacy concerns that require operator review and mitigation.
Findings: [huggingface_cli_download] expected: SKILL.md and many docs instruct downloading the Qwen3-TTS model from HuggingFace — this is expected for a local TTS skill. [modelscope_snapshot_download] expected: ModelScope is suggested as an alternative mirror for domestic users; this is expected for model retrieval. [trust_remote_code_usage] unexpected: Documentation shows using AutoModelForCausalLM.from_pretrained(..., trust_remote_code=True). Executing remote model repository code is sometimes necessary for custom model implementations but carries significant security risk (remote code execution). If the provider implementation enables trust_remote_code or executes downloaded model code, that should be reviewed and run only in an isolated/trusted environment. [voice_cloning] expected: Skill and docs advertise '3s voice cloning'. This is a feature of the TTS model but is a privacy risk (ability to synthesize other people's voices) and should be used with consent.

Review Dimensions

Purpose & Capability: okName and description match what the bundle contains: TTS providers, content generation, scripts to download Qwen3‑TTS models, audio management, and OpenClaw/LobsterAI integration. Requested permissions (fileSystem, network) and required binary (python3) are consistent with downloading models, saving audio, and integrating into the platform.
Instruction Scope: concernSKILL.md and included docs instruct the agent/operator to download large models from HuggingFace/ModelScope and run local Python code; they also recommend (in examples/docs) using trust_remote_code=True when loading models. The skill instructs reuse of a 'web-search' skill (via Python import or shell fallback) for news gathering — that increases scope and requires calling another skill. The skill also supports voice cloning from user audio samples (3s sample). These behaviors are within the stated purpose but broaden the runtime surface (network downloads, potential arbitrary code from model repos, and use of user audio), so they merit caution.
Install Mechanism: concernThere is no formal package install spec, but the repo includes install scripts (scripts/install.sh) and instructions that will pip install requirements and run huggingface/modelscope downloads. Download sources are common (HuggingFace, ModelScope) which is expected for models, but the documentation demonstrates loading model repos with trust_remote_code (i.e., executing remote repo code). Automatic download + executing remote model code increases risk compared with pure dependency installation.
Credentials: noteThe skill does not request secrets or cloud credentials and only declares python3 and platform permissions. This is appropriate for local model use. Documentation suggests optional HF mirror endpoint (HF_ENDPOINT) and use of huggingface/modelscope CLIs — these are benign for model retrieval but could require credentials for private repos; the skill does not request them explicitly.
Persistence & Privilege: notealways:false and the skill is user-invocable; it stores models, audio, and configuration on disk (MEMORY.md / SQLite). It also includes instructions to copy into the OpenClaw workspace and restart services — expected for a skill that writes files. No evidence it modifies other skills' configs. Because it writes files and may be integrated into a user's OpenClaw workspace, install-time isolation is recommended.