ClawHub

senseaudio的tts工具,根据用户需求生成文案完成配音

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent text-to-speech skill that uses a disclosed external SenseAudio API, with a limited but avoidable runtime dependency-install risk.

Install only if you are comfortable sending narration text to SenseAudio and using your own API key. For safer operation, install requests through your normal package manager ahead of time, pin dependency versions where possible, and do not synthesize sensitive or confidential text unless the provider’s privacy terms are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
        print(f"缺少 {pip_name},正在自动安装...", file=sys.stderr)

    result = subprocess.run(
        [sys.executable, "-m", "pip", "install", pip_name],
        text=True,
        stdout=subprocess.PIPE,
Confidence
93% confidence
Finding
result = subprocess.run( [sys.executable, "-m", "pip", "install", pip_name], text=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, )

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
A TTS utility should not silently modify the host environment by installing Python packages during execution. This creates unnecessary supply-chain and change-control risk, especially in agent or automation environments where the code may run with elevated privileges or in sensitive workspaces.

External Transmission

Medium
Category
Data Exfiltration
Content
本 Skill 默认基于以下官方能力:

- 接口地址:`POST https://api.senseaudio.cn/v1/t2a_v2`
- 鉴权方式:`Authorization: Bearer API_KEY`
- 模型:`SenseAudio-TTS-1.0`
- 支持文本最大长度:`10000` 字符
Confidence
94% confidence
Finding
https://api.senseaudio.cn/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal