ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MiniMax TTS Generator

v1.0.0

Text-to-speech (TTS) generation using MiniMax API. Converts text into natural-sounding speech with support for multiple voices, adjustable speed and pitch, a...

0· 62·0 current·0 all-time
by@lanhaixuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: the script sends text to MiniMax endpoints and returns/writes audio. Required binary python3 and MINIMAX_API_KEY are appropriate for a TTS client. The network endpoints in code point to api.minimaxi.com which aligns with the stated MiniMax purpose.
Instruction Scope
SKILL.md instructs running the included Python script and storing the API key in env or openclaw config — this matches the code. The runtime does read the user's openclaw config (~/.openclaw/openclaw.json) and writes audio to ~/.openclaw/workspace/tmp; both are documented in SKILL.md. The script uses subprocess.run to call ffmpeg when concatenating segments; the SKILL.md examples show multi-segment usage but do not declare ffmpeg as a required binary. Also the code allows overriding the API host via MINIMAX_API_HOST (which can redirect network calls) — this override is not declared as a required env var in the registry metadata.
Install Mechanism
This is instruction-only / contained code included in the skill bundle with no network-download install step. No external archives or installers are fetched during install, which lowers supply-chain risk.
Credentials
The only declared required credential is MINIMAX_API_KEY (primaryEnv) which is proportionate for a TTS API client. The code also reads MINIMAX_API_HOST if set (not declared in requires.env) and the openclaw config file; both are reasonable but the undocumented MINIMAX_API_HOST allows redirecting requests to an arbitrary host and should be noted.
Persistence & Privilege
The skill does not request always:true, does not demand extra system privileges, and confines storage to ~/.openclaw/workspace/tmp and its own config entry in ~/.openclaw/openclaw.json. It does not modify other skills' settings or system-wide configs beyond its own entry.
What to consider before installing
This skill appears to implement a legitimate MiniMax TTS client and only requires your MiniMax API key. Before installing: (1) Review and confirm you are comfortable providing MINIMAX_API_KEY (the script sends it as a Bearer token to the API). (2) Install ffmpeg if you plan to use multi-segment output (the script calls ffmpeg but ffmpeg is not listed as a required binary). (3) Be aware the code will read ~/.openclaw/openclaw.json and write audio files to ~/.openclaw/workspace/tmp (check those paths and permissions). (4) The script supports an environment override MINIMAX_API_HOST — don't set this to an untrusted host (an attacker-controlled host could capture your API key). (5) If you do not fully trust the skill source, review the included minimax_tts.py before running it (it performs network requests and executes ffmpeg via subprocess). If these points are acceptable or fixed (declare ffmpeg as required, document MINIMAX_API_HOST), the skill is coherent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

audiovk979avzwkev83xx1ksw83h30ns83tj2ngeneratorvk979avzwkev83xx1ksw83h30ns83tj2nlatestvk979avzwkev83xx1ksw83h30ns83tj2nminimaxvk979avzwkev83xx1ksw83h30ns83tj2nspeechvk979avzwkev83xx1ksw83h30ns83tj2ntext-to-speechvk979avzwkev83xx1ksw83h30ns83tj2nttsvk979avzwkev83xx1ksw83h30ns83tj2nvoicevk979avzwkev83xx1ksw83h30ns83tj2n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔊 Clawdis
Binspython3
EnvMINIMAX_API_KEY
Primary envMINIMAX_API_KEY

Comments