Back to skill
Skillv1.0.1
ClawScan security
Togetherai Tts · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 21, 2026, 4:03 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and docs use a TogetherAI API key and related env vars, but the registry metadata does not declare any required credentials — an inconsistency that warrants caution before installing.
- Guidance
- This skill appears to implement the described TTS function, but the registry metadata failed to list the required TogetherAI API key (TOGETHERAI_API_KEY). Before installing: 1) Confirm you trust the skill author and verify the package source; 2) Don't provide unrelated or high-privilege secrets — only supply a TogetherAI API key in a scoped environment; 3) Consider running the skill in a sandbox or container and inspect network activity to ensure it's only calling api.together.ai; 4) Prefer to install only if the registry metadata is corrected (primary credential declared) or after you manually review the code (index.js is short and readable). If you cannot verify the publisher or prefer tighter controls, do not install or run with real credentials.
Review Dimensions
- Purpose & Capability
- concernThe name/description (TogetherAI TTS) match the code and SKILL.md: index.js posts text to https://api.together.ai/v1/audio/speech and writes an MP3. However the registry metadata lists no required environment variables or primary credential while both SKILL.md and the code require TOGETHERAI_API_KEY (and optional TOGETHERAI_MODEL/TTS_FORMAT/TTS_VOICE). The missing declaration of the API key in the registry is an incoherence.
- Instruction Scope
- okSKILL.md and index.js are narrowly scoped: they read env vars (via dotenv), POST to TogetherAI's audio endpoint, and write a base64-decoded audio file. The runtime instructions do not request unrelated files, other credentials, or external endpoints beyond api.together.ai.
- Install Mechanism
- okThere is no install spec (instruction-only skill with bundled code). Dependencies are standard npm libs (axios, dotenv) declared in package.json. No suspicious download URLs or archive extraction are present.
- Credentials
- concernThe code expects a sensitive credential (TOGETHERAI_API_KEY) and other configuration env vars; that is reasonable for a TTS integration. The problem is the registry metadata does not declare these required env vars or a primary credential, so the platform-level visibility of the secret requirement is missing. This omission increases the chance a user will supply credentials without realizing which skill will use them.
- Persistence & Privilege
- okThe skill does not request persistent/always-installed privileges (always:false), does not modify other skills or system configs, and uses normal agent invocation behavior.