Back to skill
Skillv1.0.0
ClawScan security
AI语音合成TTS - 聚合数据 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 26, 2026, 10:39 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested credential (JUHE_SPEECH_KEY) are coherent with a Juhe.cn text-to-speech integration and do not request extraneous privileges.
- Guidance
- This skill appears to do what it claims: call Juhe.cn's TTS API and return an audio link. Before installing, consider: 1) You will be sending the text you synthesize to a third-party service (juhe.cn/gpt.juhe.cn). Avoid sending sensitive/personal/confidential text if you don't want it processed or stored by the provider. 2) The script will read JUHE_SPEECH_KEY from an environment variable, a .env file in the script directory, or a CLI argument — keep your API key in a secure place and do not place it in shared repositories. 3) Confirm you trust the provider (pricing, privacy, retention) and verify the API endpoint (the script posts to https://gpt.juhe.cn/text2speech/generate). 4) If running in a multi-user or CI environment, prefer supplying the key via a secure secret store rather than a plain .env file in a shared directory.
Review Dimensions
- Purpose & Capability
- okName/description claim TTS via 聚合数据 (juhe.cn). The skill only needs python3 and a Juhe API key, which is precisely what's required to call the provider's TTS API. No unrelated services or credentials are requested.
- Instruction Scope
- okRuntime instructions and the provided script only parse user text or a user-supplied file, call the Juhe API endpoint, and optionally download the resulting audio. The script reads JUHE_SPEECH_KEY from a CLI arg, an environment variable, or a .env file in the script directory — all documented. It does not attempt to read other system-wide credentials or arbitrary files.
- Install Mechanism
- okNo install spec is present (instruction-only deployment with a bundled script). Required binary is only python3. No external downloads or archive extraction are performed by the skill itself.
- Credentials
- okOnly one credential is required (JUHE_SPEECH_KEY) and it is the primary credential used to authenticate to juhe.cn. No unrelated environment variables or secrets are requested.
- Persistence & Privilege
- okalways is false; the skill does not request permanent/always-on presence and does not modify other skills or system configurations. It only reads a local .env when present (script directory) which is typical for CLI tools.