Back to skill
Skillv2.0.0
ClawScan security
MOSS TTSD 多人对话合成 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 27, 2026, 6:35 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are consistent with a multi‑speaker TTS tool: it only needs a MOSI_TTS_API_KEY, calls studio.mosi.cn, and outputs a WAV file — nothing appears disproportionate or covert.
- Guidance
- This skill appears to be what it claims: a multi‑speaker TTS client that sends your provided text to studio.mosi.cn and saves returned audio locally. Before installing, ensure you trust the MOSI Studio service and are comfortable providing MOSI_TTS_API_KEY (the key is sent as a bearer token to the studio.mosi.cn API). Expect the script to require curl, jq, and base64, and to write output under ~/.openclaw/workspace. If you plan to enable automated/agent invocation, consider the risk of automated uploads of text (sensitive content) to the external service and restrict where the API key is stored; rotate the key if shared or exposed. If you rely on the Feishu integration mentioned in the docs, review that separate script (mosi-tts's mosi_feishu_voice.sh) for any channel-specific behavior before connecting to production chat accounts.
Review Dimensions
- Purpose & Capability
- okName/description (multi‑speaker TTS) match the files and runtime behavior. The only credential requested is MOSI_TTS_API_KEY, which is appropriate for calling the MOSI Studio API; required tools (curl, jq, base64) are reasonable for the stated job.
- Instruction Scope
- okSKILL.md and the script confine actions to building a JSON payload, POSTing to https://studio.mosi.cn/api/v1/audio/speech, decoding returned base64 audio, and writing a WAV to the user's workspace. They do not attempt to read unrelated files or other environment variables.
- Install Mechanism
- okNo install/download steps are present (instruction-only plus a local script). Nothing is fetched from third‑party URLs or written beyond the script's normal output path.
- Credentials
- okOnly MOSI_TTS_API_KEY is required (with an optional CLI override). That single API key is proportional to a TTS integration; no unrelated secrets or excessive env vars are requested.
- Persistence & Privilege
- okSkill is not always-enabled and does not modify other skills or global agent settings. It writes output to ~/.openclaw/workspace as expected for a TTS tool.