Back to skill
Skillv0.1.1
ClawScan security
Characteristic Voice · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 12:49 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required credentials are consistent with its stated purpose (expressive TTS); nothing indicates hidden or unrelated behavior, but note the skill will upload text and any chosen reference audio to noiz.ai when using the Noiz backend and saves an API key to ~/.noiz_api_key.
- Guidance
- This skill appears to do what it says: expressive TTS with optional voice cloning. Before installing, decide whether you want any audio/text to leave your machine. If you use the Noiz backend, the script will send text and any reference audio to https://noiz.ai/v1 and will save a normalized API key to ~/.noiz_api_key (file mode 600). If you must keep everything local, use the Kokoro backend. Be careful about sourcing reference audio from copyrighted or private material — the skill documents this risk. Finally, note the registry metadata didn't list NOIZ_API_KEY as a requirement while the SKILL.md and script use it; confirm you are comfortable providing that key before enabling the Noiz backend.
Review Dimensions
- Purpose & Capability
- noteThe skill implements expressive TTS and optionally voice cloning via the Noiz API or a local Kokoro backend. Required tools (curl, python3) and optional tooling (yt-dlp, ffmpeg) match the documented features. Minor metadata mismatch: the registry lists no required env vars, but SKILL.md and the script require a NOIZ_API_KEY when using the Noiz backend.
- Instruction Scope
- okSKILL.md and the script limit actions to generating TTS, optionally uploading user-provided or downloaded reference audio to Noiz, and using local Kokoro when requested. The SKILL.md explicitly warns about copyright/privacy when sourcing reference audio. There are no instructions to read arbitrary system files or to exfiltrate unrelated data.
- Install Mechanism
- okNo install spec is provided (instruction-only with an included script). The script itself uses standard system tools only; nothing is downloaded or executed from unknown URLs by the skill itself.
- Credentials
- noteThe only credential used is NOIZ_API_KEY (optional if you use the Noiz backend), which is proportional to the skill's external API use. The script will normalize and save the API key to ~/.noiz_api_key (mode 600) for convenience — this persistent storage is reasonable but should be understood by the user. Registry metadata not listing this env var is an inconsistency to be aware of.
- Persistence & Privilege
- okThe skill does not request elevated privileges nor set always:true. Its only persistent action is writing the API key file in the user's home directory; it does not modify other skills or system-wide agent settings.