ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SenseAudio

v1.0.1

Turn plain text into character-style TTS scripts for narration, companion-style voice messages, emotional comfort audio, and expressive spoken responses. Use...

0· 131·0 current·0 all-time
by@jsinbupt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, SKILL.md, reference docs, and included Python script all consistently implement persona-driven TTS and audio generation via the SenseAudio service. However, the registry metadata lists no required environment variables while the skill and docs clearly expect a SENSEAUDIO_API_KEY — a mismatch that reduces transparency.
Instruction Scope
Runtime instructions stay on-topic: rewrite text for speech, produce style notes, and (when requested) call the bundled script to POST to the SenseAudio API and save audio locally. The script only reads the provided text or a text file, the API key, and writes the output audio file; it may also follow an audio_url returned by the service to download audio. It does not instruct reading unrelated system files or other credentials.
Install Mechanism
No install spec (instruction-only) and a small included Python script — nothing is downloaded at install time. This is low-risk compared to remote installers. The script uses standard library urllib and writes files under user-specified output paths.
!
Credentials
The skill requires an API key to operate (SENSEAUDIO_API_KEY or --api-key) but the registry's required env vars list is empty. Requesting a single service API key is proportionate for a remote TTS integration, but the metadata omission and lack of a homepage/known publisher make it harder to verify the remote service and key handling.
Persistence & Privilege
Skill does not request always:true or any persistent elevated privileges. It does not modify other skills or global agent configuration.
What to consider before installing
This skill appears to do what it says (rewrite text for persona-driven TTS and call a SenseAudio API) and includes a small local script to perform the call. Before installing: 1) be aware it will send text to an external service (https://api.senseaudio.cn) — do not send sensitive personal, financial, or secret information without confirming privacy terms; 2) the package metadata fails to declare the required SENSEAUDIO_API_KEY environment variable — expect to provide that key yourself and verify you trust the service and the skill owner; 3) there is no homepage or known publisher listed — consider asking the publisher for provenance or using an alternative TTS provider you trust; 4) if you are concerned about autonomous network calls, restrict the skill's permissions or avoid providing the API key so it can only produce offline scripts. If the registry entry were corrected to declare SENSEAUDIO_API_KEY and included verifiable publisher info/homepage, my confidence would increase.

Like a lobster shell, security has layers — review code before you run it.

latestvk972fh4hn1rhyd7kf1gss71r99839pj5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments