ClawHub

Tts Voice Ai

Security checks across malware telemetry and agentic risk

Overview

The skill looks purpose-aligned for generating speech, but it uses a MiniMax API key and sends your text to MiniMax while relying on setup details not fully reflected in registry metadata.

This appears to be a normal MiniMax TTS wrapper. Before installing, confirm you are comfortable providing a MiniMax API key, sending the text you want voiced to MiniMax, and allowing the script to write the generated audio file to the chosen path.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

The installer or agent may not automatically warn that Python, the requests package, and a MiniMax API key are needed.

Why it was flagged

The skill declares runtime prerequisites in SKILL.md, while the registry metadata reports no required binaries, env vars, or install spec. The requirements are purpose-aligned, but setup disclosure is inconsistent.

Skill content
requires:
      bins: [python3]
      env: [MINIMAX_API_KEY]
      pip: [requests]
Recommendation

Install dependencies only from trusted sources and set the MiniMax API key intentionally; the publisher should keep registry requirements consistent with SKILL.md.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Using the skill may consume MiniMax account quota or billing tied to the API key.

Why it was flagged

The script uses a MiniMax API key as a bearer token for provider requests. This is expected for the TTS service, but it grants account/quota authority.

Skill content
"Authorization": f"Bearer {api_key}"
Recommendation

Use a dedicated or limited-scope API key if possible, monitor account usage, and rotate the key if it is exposed.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Private or sensitive text submitted for speech generation may be processed by MiniMax according to that provider’s policies.

Why it was flagged

The user-provided text is sent to the selected MiniMax API endpoint to generate audio. This is central to the skill’s purpose, but it means text leaves the local environment.

Skill content
payload = {
        "model": model,
        "text": text,
        "stream": False,
    }
...
resp = requests.post(tts_url, headers=headers, json=payload, timeout=60)
Recommendation

Avoid sending secrets or highly confidential text unless MiniMax’s data handling terms are acceptable for your use case.