ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

senseaudio-game-npc-director

v1.0.1

Use when a game, interactive story, or virtual world needs reusable NPC voice behavior, including fixed voice identity, catchphrases, relationship-aware dial...

0· 137·0 current·0 all-time
byWu Ruixiao@kikidouloveme79
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The scripts and SKILL.md implement NPC voice generation, ASR, TTS, and Feishu delivery which matches the skill description. However, the registry metadata lists no required env vars or config paths even though the implementation clearly expects API keys, platform tokens, and host helper modules.
!
Instruction Scope
Runtime instructions and scripts call external services (SenseAudio ASR/TTS endpoints, Feishu open API), transcode and upload audio, and load helper modules from parent _shared directories and another skill (audioclaw-skills-voice-reply). They also read workspace/config files via audioclaw_paths. The SKILL.md and registry do not disclose these file/config dependencies or the exact credentials used, giving the agent access to external networks and workspace configs beyond what's declared.
Install Mechanism
No install spec is provided (instruction + scripts only), so nothing arbitrary is downloaded at install time. This lowers install-time risk. The code will run at runtime and import helper modules from the host environment.
!
Credentials
The code uses SENSEAUDIO_API_KEY, SENSEAUDIO_PLATFORM_TOKEN, SENSEAUDIO_ASR_MODEL (and an api-key-env argument), and expects Feishu app credentials/config (app_id/app_secret) via a workspace config — none of these were declared in the registry metadata. Requiring platform API keys and tenant credentials is normal for ASR/TTS and Feishu features, but the omission in metadata is an incoherence that could lead to surprise credential usage or accidental credential leakage.
Persistence & Privilege
The skill is not marked always:true and does not modify other skills' configurations. It does import shared modules from parent directories, but there is no evidence it attempts to persist itself or alter system-wide agent settings.
What to consider before installing
Before installing or enabling this skill, verify the following: (1) Confirm which environment variables and config files you must provide — the code expects SENSEAUDIO_API_KEY and/or SENSEAUDIO_PLATFORM_TOKEN, an ASR model env, and a Feishu app_id/app_secret stored in a workspace config, but the registry metadata lists none. (2) Ask the publisher where the _shared helper modules come from (senseaudio_env, audioclaw_paths, senseaudio_api_guard) and the audioclaw-skills-voice-reply feishu helper; these are not included and will be imported from the host environment. (3) Understand that the skill will send audio to external endpoints (api.senseaudio.cn, platform.senseaudio.cn, open.feishu.cn) and will upload/transcode audio — do not supply sensitive audio or credentials unless you trust the endpoints and code. (4) If you cannot confirm the provenance of the missing helpers and the required credentials, run the skill only in an isolated environment or decline installation. If you decide to proceed, ask the maintainer to update the registry metadata to declare required env vars and config paths and to include or document any dependent helper packages.

Like a lobster shell, security has layers — review code before you run it.

latestvk971c7zwcf63xxhq8y8qjh7zad83c87b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments