Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
voice-huayan
v1.0.0Local Chinese TTS playback on Windows using Piper zh_CN-huayan-medium with automatic fallback to System.Speech. Use when user asks to read replies aloud loca...
⭐ 1· 65·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description says "Local Chinese TTS playback on Windows using Piper ... with fallback to System.Speech", but the bundle contains a bash script and a Python helper (for ONNX metadata) and does not include the referenced PowerShell playback script ({baseDir}/bin/voice-huayan.ps1). The included artifacts are consistent with preparing/downloading Piper models (cross-platform) but there is no implementation provided for Windows playback or System.Speech fallback. This mismatch means the package may not provide the claimed Windows-local playback behavior as-is.
Instruction Scope
SKILL.md tells the agent to run a PowerShell script that is not present. The shipped vits-piper.sh downloads model files from Hugging Face and a GitHub release, installs Python packages with pip, extracts espeak data, and runs a Python script that edits ONNX metadata and writes tokens.txt. Those network downloads, package installs, and file writes are not described in SKILL.md and could run with broad filesystem/network effects. The Python script expects environment variables (LANG, TYPE, NAME) which SKILL.md does not declare or document.
Install Mechanism
There is no formal install spec, but the provided shell script uses wget to fetch model files from Hugging Face and a GitHub release (well-known hosts) and runs pip install for piper-phonemize, onnx, and onnxruntime==1.16.0. Downloading models from Hugging Face and extracting espeak data is expected for TTS, but the script will fetch and write archives to disk and install Python packages at runtime (moderate risk).
Credentials
The skill metadata declares no required environment variables, yet the provided scripts rely on LANG, TYPE, and NAME. Those env vars control which model is downloaded/modified. This is an incoherent mismatch: the runtime logic requires env configuration but the skill manifest does not declare it. No credentials are requested, which is consistent with local TTS, but the missing env declarations reduce transparency.
Persistence & Privilege
always is false and there is no indication the skill requests permanent agent-wide privileges. The scripts write files into the working directory (downloaded models, extracted espeak data) but do not change other skills or global agent configuration.
What to consider before installing
This package appears to prepare and run a local Piper ONNX model, but the SKILL.md points to a PowerShell playback script that is not provided and does not mention the downloads and pip installs the included scripts perform. Before installing or running: 1) Inspect or request the missing {baseDir}/bin/voice-huayan.ps1 used for playback (the current bundle lacks it). 2) Be aware the provided shell script will download model files from Hugging Face/GitHub and run pip installs — run it in a sandbox or virtual environment if you proceed. 3) Provide and control the required env vars (LANG, TYPE, NAME) rather than letting defaults run. 4) If you expect a Windows-only PowerShell implementation and System.Speech fallback, ask the author for the Windows-specific script or a clear explanation; otherwise this bundle looks like cross-platform model-prep code rather than a finished Windows playback skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97etxnvtr678n5e37kb31305x83sbbv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.