Togetherai Tts
PassAudited by ClawScan on May 10, 2026.
Overview
This skill does what it claims—sends text to TogetherAI for speech generation and saves an audio file—but users should notice the API key, external text upload, and chosen output path.
This appears safe for its stated purpose if you are comfortable sending the chosen text to TogetherAI. Keep your TOGETHERAI_API_KEY private, avoid converting sensitive text unless the provider terms fit your needs, use a safe output filename, and install dependencies from a trusted source.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The API key can authorize billable TogetherAI requests or consume account quota if misused.
The skill uses a TogetherAI API key from the environment and sends it to the expected TogetherAI API endpoint. This is necessary for the service, but it is a credential-bearing action and the registry metadata does not declare a primary credential.
const apiKey = process.env.TOGETHERAI_API_KEY; ... 'Authorization': `Bearer ${apiKey}`Use a scoped/limited TogetherAI key if available, keep the .env file private, and consider updating metadata to declare the required credential.
Any text converted to speech may be visible to or processed by TogetherAI under its service terms.
The supplied text is transmitted to an external provider API for speech generation. This is disclosed and purpose-aligned, but it means user text leaves the local environment.
await axios.post('https://api.together.ai/v1/audio/speech', { text, model, voice, format, }, ...)Avoid submitting confidential or regulated text unless TogetherAI's handling of that data is acceptable for your use case.
A mistaken or unsafe output filename could replace an existing file with generated audio data.
The output path is fully supplied by the caller and the script writes to that path. This is normal for a CLI TTS tool, but an incorrect path could overwrite an unintended file.
const outputFile = process.argv[3]; ... fs.writeFileSync(outputFile, Buffer.from(audioData, 'base64'));
Write outputs to a dedicated safe directory and confirm before overwriting important files.
Dependency behavior could differ depending on what versions are installed.
The skill depends on external npm packages using caret ranges, and no lockfile is included in the provided manifest. This is common, but installed versions may vary over time.
"dependencies":{"axios":"^1.6.0","dotenv":"^16.3.1"}Install dependencies from trusted registries and prefer a checked lockfile or pinned versions for reproducible installs.