ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Togetherai Tts

v1.0.1

Convert text to speech using the TogetherAI API with the MiniMax speech-2.6-turbo model and save audio in mp3 format.

0· 617·0 current·0 all-time
byMarc Smith@marcus20232023
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (TogetherAI TTS) match the code and SKILL.md: index.js posts text to https://api.together.ai/v1/audio/speech and writes an MP3. However the registry metadata lists no required environment variables or primary credential while both SKILL.md and the code require TOGETHERAI_API_KEY (and optional TOGETHERAI_MODEL/TTS_FORMAT/TTS_VOICE). The missing declaration of the API key in the registry is an incoherence.
Instruction Scope
SKILL.md and index.js are narrowly scoped: they read env vars (via dotenv), POST to TogetherAI's audio endpoint, and write a base64-decoded audio file. The runtime instructions do not request unrelated files, other credentials, or external endpoints beyond api.together.ai.
Install Mechanism
There is no install spec (instruction-only skill with bundled code). Dependencies are standard npm libs (axios, dotenv) declared in package.json. No suspicious download URLs or archive extraction are present.
!
Credentials
The code expects a sensitive credential (TOGETHERAI_API_KEY) and other configuration env vars; that is reasonable for a TTS integration. The problem is the registry metadata does not declare these required env vars or a primary credential, so the platform-level visibility of the secret requirement is missing. This omission increases the chance a user will supply credentials without realizing which skill will use them.
Persistence & Privilege
The skill does not request persistent/always-installed privileges (always:false), does not modify other skills or system configs, and uses normal agent invocation behavior.
What to consider before installing
This skill appears to implement the described TTS function, but the registry metadata failed to list the required TogetherAI API key (TOGETHERAI_API_KEY). Before installing: 1) Confirm you trust the skill author and verify the package source; 2) Don't provide unrelated or high-privilege secrets — only supply a TogetherAI API key in a scoped environment; 3) Consider running the skill in a sandbox or container and inspect network activity to ensure it's only calling api.together.ai; 4) Prefer to install only if the registry metadata is corrected (primary credential declared) or after you manually review the code (index.js is short and readable). If you cannot verify the publisher or prefer tighter controls, do not install or run with real credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97052r711xcq29zz9yjvw29g181jnv9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments