ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

KittenTTS WhatsApp

v1.0.4

Voice-to-voice mode for WhatsApp using KittenTTS + ffmpeg. Transcribe incoming audio with whisper, reply with a TTS voice note converted to WhatsApp-compatib...

0· 66·0 current·0 all-time
byReadY@lakshibro
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (KittenTTS → WhatsApp OGG) align with the included scripts and instructions (tts_walkie.sh uses KittenTTS and ffmpeg; transcribe.sh uses whisper + ffmpeg). Minor inconsistency: registry metadata listed 'Required env vars: none' and no required binaries, while SKILL.md metadata declares ffmpeg, network access to huggingface.co, and 'privileged: true'. This appears to be an authoring/metadata mismatch, not malicious behavior.
Instruction Scope
Runtime instructions and the two scripts stick to audio generation/transcription and temporary file handling. Scripts create a private /tmp directory, write WAV/OGG files, call ffmpeg, whisper, and KittenTTS; they do not access unrelated system files or send data to external endpoints beyond downloading models from Hugging Face. Note: SKILL.md suggests adding HF_TOKEN to ~/.bashrc (writes a token into shell config) — this is a user-level change you should consider before applying.
Install Mechanism
There is no automated install spec; the docs ask you to run apt-get and pip3 install manually. That is expected for this use case but is intrusive: pip3 install kittentts --break-system-packages and apt-get install -y ffmpeg require root and can alter system Python packages on managed machines. Model downloads (~25–80MB) come from huggingface.co (a known host).
Credentials
The skill does not require unrelated secrets. HF_TOKEN is optional and only suggested to reduce download rate limits; no other credentials or tokens are requested. The scripts do not read other environment variables beyond VOICE_SPEED (documented) and the optional HF_TOKEN.
Persistence & Privilege
The skill is not marked always:true and does not modify other skills or system-wide agent settings. It requires privileged actions only for dependency installation (apt/pip), which is documented in the README; otherwise it runs as the invoking user and stores temporary files under a mode-700 directory.
Assessment
This skill appears to do exactly what it says (generate WhatsApp-ready voice notes and optionally transcribe audio). Before installing, consider: 1) Do not run the provided apt-get / pip commands on a managed or production machine without approval — pip --break-system-packages can change system Python packages. Prefer using a virtualenv, container, or dedicated machine. 2) The model download comes from huggingface.co (~25–80MB); set HF_TOKEN only if you trust where you store the token (adding it to ~/.bashrc stores it in plaintext). 3) Verify ffmpeg and Python dependencies yourself and inspect the two scripts (they are short and straightforward). 4) The registry metadata and SKILL.md metadata disagree about required binaries — treat SKILL.md as the authoritative source. If you need lower risk, run this inside a disposable VM/container.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f7wzjg9qcxg7sq36wpa8qtn83j996

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments