Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Doubao Podcast TTS
v1.0.0Use when calling Doubao/ByteDance podcast TTS API to generate audio, parsing WebSocket binary frames, handling streaming audio chunks, extracting audio_url f...
⭐ 0· 79·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, README, SKILL.md and the Python script all consistently implement a Doubao/ByteDance Podcast TTS WebSocket client (construct/parse binary frames, handle streaming audio chunks, extract audio_url). The capabilities requested in code (four API headers) are appropriate for this purpose. However the registry metadata claims no required env vars / credentials while the code and README clearly expect DOUBAO_APP_ID, DOUBAO_ACCESS_KEY, DOUBAO_RESOURCE_ID, DOUBAO_APP_KEY — this mismatch is unexpected.
Instruction Scope
SKILL.md and the included code focus on WebSocket framing, session lifecycle, chunk handling, timeouts, and deployment patterns (server proxy for headers, downloading audio immediately). There are no instructions to read unrelated files or to exfiltrate arbitrary data; network use and saving mp3 files are legitimate for this skill.
Install Mechanism
No install spec is provided (instruction-only + a Python script). That is low-risk from an install/execution-spec standpoint, but the script must be reviewed before running because it performs network I/O and file writes.
Credentials
The Python script and README require four Doubao API credentials (sent as headers). Those credentials are proportional to the stated purpose. The concern is that the registry metadata declares no required environment variables or primary credential — a discrepancy that could mislead users into installing without supplying credentials or understanding what will be transmitted to the remote API.
Persistence & Privilege
The skill is not force-installed (always: false) and does not request persistent privileges. It will run as an invoked script and uses network; no evidence it modifies other skills or global agent settings.
What to consider before installing
This skill appears to be a genuine client for ByteDance/Doubao Podcast TTS: it opens a WebSocket to wss://openspeech.bytedance.com, sends four API headers, assembles streamed MP3 chunks and suggests downloading the resulting CDN audio_url. Before installing or running it: 1) Verify the skill metadata in the registry — it should declare the four required credentials (DOUBAO_APP_ID, DOUBAO_ACCESS_KEY, DOUBAO_RESOURCE_ID, DOUBAO_APP_KEY). The current omission is a mismatch and could lead to confusion. 2) Only provide the Doubao credentials if you trust the source; these keys will be sent to ByteDance's API as HTTP headers. 3) Inspect the full script (the provided file is large and partially truncated here) before executing; running it will make network connections and write MP3 files to disk. 4) If you plan to use this from a browser, follow the recommended server-proxy pattern (browsers can’t set custom headers). 5) Prefer obtaining the skill from a known repository or author, and avoid running arbitrary code on production systems without review. If you want, I can: (a) list the exact lines where the script reads env vars and sends headers, (b) check the omitted tail of the Python file for any unexpected behavior, or (c) produce a minimal wrapper that logs but does not transmit credentials for safe testing.Like a lobster shell, security has layers — review code before you run it.
latestvk9729pygp3k3nwf79qjfwzx5zs83tfdm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.