MOSS Voice Generator 指令式音色生成
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: moss-voice-generator Version: 1.0.5 The moss-voice-generator skill is a legitimate tool for generating synthetic speech via the MOSI Studio API. The core script, mosi_voice_generator.sh, uses jq for secure JSON construction and curl to communicate with the official endpoint (studio.mosi.cn). No evidence of data exfiltration, malicious execution, or prompt injection was found; the skill operates as described in its documentation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can consume or affect the MOSI account associated with the API key, and passing the key on the command line may expose it through shell history or process listings.
The script uses the MOSI_TTS_API_KEY environment variable, or an explicit --api-key argument, as a bearer token for the MOSI API. This is purpose-aligned, but it is still account credential use.
API_KEY="${MOSI_TTS_API_KEY}" ... --api-key|-k) API_KEY="$2" ... -H "Authorization: Bearer $API_KEY"Use a dedicated MOSI API key with appropriate limits, prefer the MOSI_TTS_API_KEY environment variable over the --api-key command-line option, and rotate the key if it may have been exposed.
Any text or voice description submitted for generation may be processed by MOSI Studio according to its service and retention policies.
The user-provided text and voice-style instruction are sent to the external MOSI Studio API. This is disclosed and central to the skill's purpose, but it is still a provider data flow.
PAYLOAD=$(jq -n --arg text "$TEXT" --arg instruction "$INSTRUCTION" ...) ... curl -sf -X POST "https://studio.mosi.cn/api/v1/audio/speech" ... -d "$PAYLOAD"
Only submit content you are comfortable sending to MOSI Studio, and review the provider’s privacy and data-retention terms if using confidential or personal text.