ClawHub

TTS Synthesizer | TTS 合成器

Security checks across malware telemetry and agentic risk

Overview

This is a coherent text-to-speech skill that uses expected online TTS services and writes generated audio files, with some privacy cautions for users.

Install only if you are comfortable sending the text you synthesize to Microsoft edge-tts or to the OpenAI-compatible API endpoint you configure. Avoid using it for secrets or confidential text, keep API keys scoped, and expect generated audio files to be saved in the OpenClaw workspace output directory unless you choose another path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger list includes broad everyday phrases such as '语音回复' and '语音对话', which could cause the skill to activate unintentionally during normal conversation. Because this skill can send text to external TTS services and write output files, accidental invocation could expose user content and consume external services or credentials without clear intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explains networked TTS and API key usage but does not clearly warn users that input text may be transmitted to third-party services for synthesis. This is a privacy issue because users may provide sensitive text assuming local processing, while the skill explicitly supports remote Microsoft and OpenAI-compatible endpoints.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script uses edge-tts, an online Microsoft-backed TTS service, and sends user-provided text over the network for synthesis. The code and CLI help text describe the feature but do not clearly warn users that their input may leave the local machine, which creates a real privacy risk if users submit secrets, personal data, or confidential content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal