MOSS Voice Generator 指令式音色生成
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a normal MOSI voice-generation skill, but it sends your requested text and voice description to MOSI’s online API using your MOSI API key.
This skill is reasonable to install if you trust MOSI Studio and want cloud-based voice generation. Set MOSI_TTS_API_KEY carefully, avoid passing secrets through the --api-key command-line option, and do not submit sensitive or confidential text unless MOSI’s privacy terms are acceptable to you.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can consume or affect the MOSI account associated with the API key, and passing the key on the command line may expose it through shell history or process listings.
The script uses the MOSI_TTS_API_KEY environment variable, or an explicit --api-key argument, as a bearer token for the MOSI API. This is purpose-aligned, but it is still account credential use.
API_KEY="${MOSI_TTS_API_KEY}" ... --api-key|-k) API_KEY="$2" ... -H "Authorization: Bearer $API_KEY"Use a dedicated MOSI API key with appropriate limits, prefer the MOSI_TTS_API_KEY environment variable over the --api-key command-line option, and rotate the key if it may have been exposed.
Any text or voice description submitted for generation may be processed by MOSI Studio according to its service and retention policies.
The user-provided text and voice-style instruction are sent to the external MOSI Studio API. This is disclosed and central to the skill's purpose, but it is still a provider data flow.
PAYLOAD=$(jq -n --arg text "$TEXT" --arg instruction "$INSTRUCTION" ...) ... curl -sf -X POST "https://studio.mosi.cn/api/v1/audio/speech" ... -d "$PAYLOAD"
Only submit content you are comfortable sending to MOSI Studio, and review the provider’s privacy and data-retention terms if using confidential or personal text.