Skillv0.1.0

VirusTotal security

Pocket TTS Complete Documentation · External malware reputation and Code Insight signals for this exact artifact hash.

SuspiciousApr 30, 2026, 3:47 AM

Hash: b900eeb8f19455f72101b5ec1a2e99042b6397b1a3364d25187b18da7cc138c3
Source: palm
Verdict: suspicious
Code Insight: Type: OpenClaw Skill Name: lb-pocket-tts-skill Version: 0.1.0 The skill documents several high-risk capabilities of the `pocket-tts` tool, which, while presented as features, could be leveraged for attacks if the OpenClaw agent is prompted with malicious inputs or if the underlying library has vulnerabilities. Specifically, the skill describes how to load model configurations from arbitrary local YAML files (e.g., via `--config` in `docs/generate.md`, `docs/serve.md`), which could lead to arbitrary code execution. It also details loading audio prompts for voice cloning from arbitrary local files or remote HTTP/HTTPS URLs (e.g., via `--voice` in `SKILL.md`, `docs/generate.md`, `docs/export_voice.md`, `docs/python-api.md`), posing risks of Local File Inclusion (LFI) or Server-Side Request Forgery (SSRF). Additionally, the `pocket-tts serve` command (documented in `SKILL.md`, `docs/serve.md`) starts a web server, exposing an API that could be a further attack surface. There is no direct evidence of intentional malicious instructions within the skill's markdown, but the documented capabilities introduce significant security risks.
External report: View on VirusTotal