tts

ReviewAudited by ClawScan on May 1, 2026.

Overview

This appears to be a coherent text-to-speech skill, but users should notice that it can send text or reference audio to Noiz cloud services and store a Noiz API key locally.

Before installing, decide whether you are comfortable with cloud TTS requests to Noiz and local storage of a Noiz API key. For private or sensitive text/voice samples, prefer the local Kokoro backend and avoid reference-audio URLs unless you trust the source and destination.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

Private text, scripts, or voice reference audio may leave the local machine when the Noiz backend or guest mode is used.

Why it was flagged

The Noiz backend sends requests to an external cloud TTS API, including user text in the request data and optional reference-audio files.

Skill content

resp = requests.post(
            url,
            headers={"Authorization": api_key},
            data=data,
            files=files,
            timeout=timeout,
        )

Recommendation

Use the local Kokoro backend for sensitive content, and only provide reference audio or URLs you are comfortable sending to Noiz.

Low

#ASI03: Identity and Privilege Abuse

What this means

A Noiz API key grants access to the user's Noiz account/API usage, so local file protection and key hygiene matter.

Why it was flagged

The skill reads and writes a persistent Noiz API key file and can migrate an older key location.

Skill content

NOIZ_KEY_FILE = Path.home() / ".config" / "noiz" / "api_key"
_LEGACY_KEY_FILE = Path.home() / ".noiz_api_key"

Recommendation

Keep the key file permissions restricted, remove old legacy key files if no longer needed, and revoke/rotate the key if it may have been exposed.

Low

#ASI05: Unexpected Code Execution

What this means

Audio generation may execute installed local media tools from the user's PATH.

Why it was flagged

The local Kokoro path invokes an external CLI to generate audio; timeline rendering also uses ffmpeg/ffprobe in the provided scripts.

Skill content

cmd = ["kokoro-tts", input_path, output, "--format", fmt]
...
subprocess.check_call(cmd)

Recommendation

Install these tools only from trusted sources and use explicit backends/paths when working in sensitive environments.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

It is harder to verify the publisher, project history, or upstream code outside the provided artifacts.

Why it was flagged

The registry metadata does not identify an upstream source or homepage for independent provenance review.

Skill content

Source: unknown
Homepage: none

Recommendation

Review the included scripts and install only if you trust the registry owner or have another way to verify provenance.