Back to skill
Skillv1.0.9
ClawScan security
TTS Synthesizer | TTS 合成器 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 2:53 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, documentation, and dependencies are consistent with a Text‑to‑Speech tool that uses edge-tts and an OpenAI‑compatible API; no evidence of unrelated credential requests, obfuscated endpoints, or unexpected install-time downloads was found.
- Guidance
- This skill appears to do exactly what it says: generate TTS using edge-tts or an OpenAI‑compatible API and convert outputs to OGG/Opus. Before installing: (1) review requirements.txt and install system deps (ffmpeg/libopus) in a controlled environment; (2) only provide an API key if you trust the API URL you pass (TTS_API_URL/TTS_API_KEY are used only for API mode); (3) note the skill will write audio files under your OpenClaw workspace (~/.openclaw/workspace/projects/tts-synthesizer/output); (4) if you want extra caution, run the scripts in an isolated environment (virtualenv or container) and inspect the output files and network calls while testing. Minor note: the registry metadata doesn't mark TTS_API_* as required even though SKILL.md documents them — that's a documentation/metadata mismatch, not malicious behavior.
Review Dimensions
- Purpose & Capability
- okName/description (TTS via edge-tts and an OpenAI‑compatible API) matches the included scripts (tts_edge.py, tts_simple.py) and requirements (edge-tts, openai, av, aiohttp). All declared features (voice lists, conversion to OGG/Opus) are implemented by the scripts.
- Instruction Scope
- okSKILL.md instructs installing requirements and running the provided scripts; runtime instructions only reference expected files, the workspace path, and optional API endpoints. The doc asks the agent/user to use TTS_API_URL/TTS_API_KEY when using API mode — these are proportional to the feature. No instructions ask the agent to read unrelated system files or exfiltrate data.
- Install Mechanism
- noteThere is no automated install spec in the registry (instruction-only), but a requirements.txt is included and the README instructs pip install -r requirements.txt. This is typical for Python skills; system packages (ffmpeg/libopus) are required for audio conversion and are documented. No downloads from untrusted URLs or archive extraction were found.
- Credentials
- okThe only credentials referenced are TTS_API_URL and TTS_API_KEY (for API mode); these are appropriate for an OpenAI‑compatible TTS backend. The registry metadata lists no required env vars, but SKILL.md documents optional environment variables — a minor metadata mismatch but not a security concern.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or system policies. It writes output audio files to a subdirectory under the user's OpenClaw workspace (~/.openclaw/workspace/projects/tts-synthesizer/output), which is expected behavior for a TTS tool.