Skillv0.1.0

ClawScan security

gtts · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 15, 2026, 2:38 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only guide for using the gTTS Python library to convert text to audio; its requirements and instructions are coherent with that purpose and it does not request unrelated credentials or privileged access.
Guidance: This is a normal how-to for gTTS. Before using: (1) run pip installs inside a virtual environment, (2) install ffmpeg if you plan to use pydub or the ffmpeg concat approach, (3) be aware gTTS sends text to Google’s public TTS endpoints (avoid sending sensitive or confidential text), (4) gTTS is different from Google Cloud Text-to-Speech (no API key) and may be rate-limited or subject to breakage, and (5) review any installed packages' licenses and versions before installing. The skill itself does not request secrets or elevated privileges.

Purpose & Capability: okThe name/description match the SKILL.md content: it explains using gTTS and pydub to convert and concatenate audio chunks for long text. Nothing in the instructions requests unrelated services or capabilities.
Instruction Scope: okRuntime instructions only demonstrate installing gtts/pydub, chunking text, creating temporary files, generating MP3s, concatenating audio, and cleaning up. The steps operate only on provided text and temporary files and note the need for network access to Google's TTS endpoints; they do not read unrelated system files or environment variables.
Install Mechanism: noteThere is no formal install spec in the registry (instruction-only). SKILL.md recommends 'pip install gtts pydub' and optionally using ffmpeg for concatenation. This is normal but means the user will run package installation locally; ffmpeg is an external binary dependency to be installed separately.
Credentials: okNo environment variables, credentials, or config paths are requested. The only external interaction is network calls to Google's TTS service (gTTS uses public Google endpoints and does not require an API key), so no secret exposure is requested by the skill itself.
Persistence & Privilege: okSkill is not always-enabled, does not request persistent system privileges, and does not modify other skills or agent-wide config. It's an instruction-only skill and can be invoked by the user/agent normally.