Back to skill
Skillv1.0.0
ClawScan security
mar-edge-tts · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 24, 2026, 3:50 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and required credential (SKILLBOSS_API_KEY) align with a TTS integration; there are minor documentation and packaging inconsistencies but nothing that indicates intentional misdirection.
- Guidance
- This skill appears to be what it claims: a TTS connector that uses a SkillBoss API key. Before installing: (1) Confirm SKILLBOSS_API_KEY is obtained from a trusted account/service and limit its permissions if possible. (2) Inspect scripts/package-lock.json and package.json (there's a minor mismatch: node-edge-tts appears in the lockfile but not in scripts/package.json); review the listed dependencies on npm (node-edge-tts) to ensure you trust them. (3) Be aware the scripts will write ~/.tts-config.json and temporary audio files to the system temp directory and will log a short preview of input text — avoid passing highly sensitive secrets through the TTS calls. (4) Run npm install in an isolated environment (container or VM) if you want to limit blast radius. If any of the documentation references (Microsoft Edge TTS, travisvn preview site) are unexpected for your environment, ask the maintainer for clarification before deploying.
Review Dimensions
- Purpose & Capability
- noteThe skill claims to convert text to speech via SkillBoss API Hub and the scripts call https://api.heybossai.com/v1/pilot with SKILLBOSS_API_KEY — that is consistent. Minor inconsistencies: references/docs mention Microsoft Edge TTS and a third-party preview site (tts.travisvn.com), and scripts/package metadata differ slightly (scripts/package.json lists only 'commander' while package-lock and skill-info.json include 'node-edge-tts'). These are likely documentation/packaging sloppiness rather than functional mismatch.
- Instruction Scope
- okSKILL.md instructs the agent to use either a built-in 'tts' tool or the included Node scripts. The scripts only read/write a per-user config (~/.tts-config.json), write temp audio files to the system temp dir, and require SKILLBOSS_API_KEY. They do not request unrelated system files or credentials.
- Install Mechanism
- noteThere is no platform install spec in the registry, but an install.sh and an npm-based scripts/ installation are provided (cd scripts && npm install). That pulls packages from the public npm registry (package-lock shows node-edge-tts and other normal deps). Using npm is standard but writes files and native modules to disk — review dependencies before running npm install. The package.json / package-lock mismatch is worth checking.
- Credentials
- okOnly SKILLBOSS_API_KEY is declared and used by the scripts to authenticate to the SkillBoss API Hub; this is proportionate for a TTS integration. The scripts persist user preferences to ~/.tts-config.json and log the first ~50 characters of input text, which could appear in logs — a minor privacy note.
- Persistence & Privilege
- okThe skill does not request always: true, does not modify other skills, and only persists a user-level config file and temporary audio files. It can be invoked autonomously (platform default), but this is expected for skills and is not excessive here.