ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

openai-tts

v0.1.0

OpenAI Text-to-Speech API for high-quality speech synthesis. Use for generating natural-sounding audio from text with customizable voices and tones.

0· 20·0 current·0 all-time
by@lnj22
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description claim a simple OpenAI TTS helper, which matches the SKILL.md content. However, the skill metadata declares no required environment variables or primary credential, while the runtime instructions explicitly rely on the OPENAI_API_KEY; that inconsistency suggests incomplete or sloppy packaging.
Instruction Scope
SKILL.md instructions stay within TTS functionality (calling OpenAI TTS, chunking text, concatenating audio). They access the OPENAI_API_KEY env var (not declared in metadata) and assume Python packages (openai, pydub) and system tools (ffmpeg for pydub) are available; they do not read unrelated system files or exfiltrate data to unexpected endpoints.
Install Mechanism
This is an instruction-only skill with no install spec, so it writes nothing to disk and does not fetch remote code. That is lower risk, but it does implicitly rely on third-party Python packages and system utilities that are not declared.
!
Credentials
The instructions require OPENAI_API_KEY (a sensitive credential) but the registry metadata lists no required env vars or primary credential. Requesting an API key is proportionate for a TTS skill, but failing to declare it is an important inconsistency and reduces transparency about what credentials will be used.
Persistence & Privilege
The skill does not request persistent/always-on presence and does not modify other skills or system-wide settings; normal autonomous invocation is allowed (default).
What to consider before installing
This skill appears to be a straightforward OpenAI TTS recipe, but it has a key metadata mismatch: SKILL.md expects OPENAI_API_KEY but the package metadata does not declare that requirement. Before installing/providing an API key, verify the skill source and consider: (1) only provide a scoped API key with limited permissions and budget limits, (2) ensure your environment has the required Python packages (openai, pydub) and ffmpeg, (3) run the skill in an isolated environment if possible, and (4) ask the author to update metadata to explicitly declare OPENAI_API_KEY and any install prerequisites. If you cannot verify the source or cannot limit the key, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk974wpf9at7dk6bg8mnjwxq0cn84wdbe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments