ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tts Responder

v1.0.0

Convierte texto a audio OGG usando Piper y envía respuestas habladas por Telegram cuando se activa el modo de voz.

0· 41·0 current·0 all-time
byJULIAN GOMEZ FERNANDEZ@jgf78
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (TTS → Telegram) aligns with the script: it uses piper and ffmpeg to create OGG and posts to Telegram. However, the registry metadata declares no required environment variables while the runtime script expects BOT_TOKEN and CHAT_ID for sending messages—this mismatch should be corrected.
Instruction Scope
SKILL.md and the shell script stay within scope: synthesize text to WAV/OGG and POST to Telegram. The script only reads TTS_VOICE/TTS_SPEED (optional) and BOT_TOKEN/CHAT_ID for posting, writes temporary files to /tmp, then cleans up.
Install Mechanism
No install spec or external downloads are included by the skill bundle itself (instruction-only + a small bash script). This is low-risk from an installation perspective. Note: Piper models may be downloaded by the piper runtime at first use (SKILL.md mentions ~50 MB).
!
Credentials
The script requires BOT_TOKEN and CHAT_ID (sensitive credentials) to send messages, but the skill metadata did not declare them. Requesting a Telegram bot token and chat ID is proportionate to the stated purpose, but the missing declaration is an information/consent gap you should address before installing.
Persistence & Privilege
The skill is not always-on, does not request privileged/long-lived platform privileges, and does not modify other skills or system-wide settings. It runs as invoked and uses temporary files in /tmp, which it deletes.
What to consider before installing
This skill does what it says (synthesizes speech and can send it to Telegram), but check these before installing: - The included script will attempt to POST audio to https://api.telegram.org using environment variables BOT_TOKEN and CHAT_ID. Those variables are sensitive (BOT_TOKEN is equivalent to a secret) and are not declared in the registry metadata—confirm you are willing to provide them and understand the bot's permissions. - Verify the BOT_TOKEN and CHAT_ID values and that you trust the destination chat. A compromised token would allow someone to send messages as your bot. - Piper may auto-download voice models from external hosts the first time it runs. If you need to avoid external downloads, prefetch models in a controlled environment. - The script writes temp files to /tmp and then removes them; you may want to run it in a sandbox or container if you want stronger isolation. - If you plan to integrate this into an agent, confirm the agent will only pass intended messages to the skill—avoid letting it forward arbitrary or sensitive content automatically. If you want to proceed, ask the author or maintainer to update the skill metadata to declare BOT_TOKEN and CHAT_ID (and mark them as sensitive) so the requirements are explicit. If you cannot verify the source or do not want to provide a bot token, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk972vdmvnqvcdf72pvrf6b0zhd83wtpw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments