Back to skill
Skillv2.23.0
ClawScan security
Text to Speech · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 13, 2026, 6:12 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are consistent with its stated purpose (HeyGen Starfish TTS) and only require the HeyGen API key; there are no unexpected installs, files, or unrelated credentials requested.
- Guidance
- This skill is coherent for HeyGen TTS usage. Before installing, ensure you trust the skill source and are comfortable providing HEYGEN_API_KEY to it (the key allows calls to your HeyGen account). Limit exposure by using a scoped or expendable API key if HeyGen supports it, rotate keys regularly, and monitor HeyGen account activity for unexpected requests.
Review Dimensions
- Purpose & Capability
- okName/description match the declared requirement (HEYGEN_API_KEY) and the SKILL.md shows only HeyGen TTS API endpoints and MCP tool calls; no unrelated services, binaries, or config paths are requested.
- Instruction Scope
- okSKILL.md contains only instructions to call HeyGen's /v3/voices and /v3/voices/speech endpoints (or preferrable MCP tools). It does not instruct reading local files, other env vars, or sending data to unexpected endpoints.
- Install Mechanism
- okNo install spec and no code files (instruction-only). Nothing is downloaded or written to disk by the skill itself.
- Credentials
- okRequires a single credential (HEYGEN_API_KEY) which is appropriate for accessing the HeyGen API; no additional secrets or unrelated env vars are requested.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request persistent system presence or modify other skills/configs.