ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Qwen Tts

v1.0.2

阿里云千问语音合成(TTS)技能,支持将文本转换为自然语音。当用户要求朗读、语音合成、文字转语音、TTS、读一段话、把文字转成声音时使用。支持多种音色(中文/英文/方言),支持流式输出边合成边播放。

0· 62·0 current·0 all-time
bywoodylan@lanlan314
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The declared purpose (Qwen TTS using 千问/Dashscope) matches the scripts and documentation: they call Dashscope TTS endpoints and produce audio. However, the registry metadata lists no required environment variables or binaries while SKILL.md and the shipped scripts clearly require DASHSCOPE_API_KEY and optional FEISHU_* credentials, plus ffmpeg, jq, python3 and requests. The omission in metadata is an inconsistency that reduces transparency.
Instruction Scope
SKILL.md and the scripts limit behavior to building requests to Dashscope, downloading the returned audio, converting formats, and optionally uploading to Feishu. They do not attempt to read unrelated system files or credentials. The instructions explicitly state which env vars are needed and which scripts need Feishu creds.
Install Mechanism
No install spec is provided (instruction-only skill with included scripts) so nothing is auto-downloaded or executed during install. This is lower risk. The included scripts are plain Bash/Python and call standard network endpoints; there are no obfuscated downloads or third-party archive installations.
!
Credentials
The environment variables required by the scripts (DASHSCOPE_API_KEY, and optionally FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_USER_ID) are reasonable and proportional to the stated functionality. The concern is that the registry metadata declares 'Required env vars: none' and 'Required binaries: none', which is inaccurate and could mislead users about the secrets and tools the skill needs.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request elevated or persistent platform privileges. It does make outbound network calls to Dashscope and optionally Feishu when used, which is expected for a TTS/sending skill.
What to consider before installing
This skill appears to implement the described TTS functionality, but the registry metadata incorrectly omits required environment variables and binaries. Before installing or using it: 1) verify you trust the source (homepage is missing). 2) Expect to provide DASHSCOPE_API_KEY for TTS and, only if you use speak_and_send.py, FEISHU_APP_ID/FEISHU_APP_SECRET/FEISHU_USER_ID to send audio to Feishu. 3) Ensure ffmpeg, jq, python3 and the Python requests library are available. 4) Be aware that text you submit will be sent to Dashscope/Aliyun and (if using the send script) audio will be uploaded to Feishu — avoid sending sensitive content. 5) Prefer running the scripts in a sandbox first and consider rotating any API keys used. Finally, ask the publisher or maintainer to correct the registry metadata to accurately list required env vars and binaries.

Like a lobster shell, security has layers — review code before you run it.

latestvk976yhzt0y8mj25mvc63z2n8qx83zpy9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments