Back to skill
Skillv1.1.0
ClawScan security
Tts Voice Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 10:09 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and code align with a text-to-speech client for the MiniMax service and request only the MiniMax API key needed to operate.
- Guidance
- This package appears to be a straightforward TTS client for the MiniMax service. Before installing: (1) confirm you trust the MiniMax endpoints (api.minimaxi.com / api.minimax.io) and are comfortable providing your MINIMAX_API_KEY; (2) review the full tts.py file locally (it only uses the API key, makes POST requests, and writes an output file); (3) be aware of legal/privacy implications of voice cloning or synthesizing third-party voices. If you do not trust or recognize the MiniMax service, do not provide your API key.
Review Dimensions
- Purpose & Capability
- okName/description (TTS, voice cloning) match the declared env var (MINIMAX_API_KEY), required binary (python3) and pip dependency (requests). The code calls MiniMax endpoints and maps voices/languages; these are expected for a TTS client.
- Instruction Scope
- okSKILL.md instructs setting MINIMAX_API_KEY and running the provided tts.py with CLI flags. The instructions and code only perform language detection, voice selection, HTTP POSTs to MiniMax APIs, and write an audio output file—no broad file reads, system interrogation, or external endpoints outside the stated service.
- Install Mechanism
- okNo install spec or third-party downloads are present. It's an instruction-and-script package that relies on python3 and the requests library (declared). Nothing is fetched from arbitrary URLs or installed to system paths.
- Credentials
- okOnly MINIMAX_API_KEY is required and is used by the script to authenticate to the MiniMax API. No other credentials, secrets, or unrelated env vars are requested or referenced.
- Persistence & Privilege
- okSkill is not always-on and does not request elevated persistence. It does not modify other skills or system-wide configs; it just runs as a standalone script when invoked.