ClawHub

Openai Tts.Bak 2026 01 28T18:01:23+10:30

v1.0.0

Text-to-speech via OpenAI Audio Speech API.

1· 1.5k·0 current·1 all-time
by@nicoataiza
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and the script match: the skill calls OpenAI's /v1/audio/speech to produce TTS and therefore legitimately needs an OpenAI API key and network access. However the registry metadata at the top claims no required env vars or binaries, while the SKILL.md front-matter and the script require OPENAI_API_KEY and curl (and the script actually calls jq). The mismatch between declared requirements and actual usage is incoherent and should be corrected.
Instruction Scope
SKILL.md and the example only instruct calling scripts/speak.sh to send text to api.openai.com — scope is limited to TTS. But SKILL.md suggests an alternate config location (~/.clawdbot/clawdbot.json) for an apiKey; the provided speak.sh does not read that file (it only reads OPENAI_API_KEY), so the documentation and runtime instructions disagree. The script sends user-provided text to OpenAI (expected) and optionally writes output files (expected).
Install Mechanism
No install spec; this is instruction + script only, so nothing is downloaded or installed at runtime by the skill package. That reduces supply-chain risk.
!
Credentials
Using OPENAI_API_KEY is appropriate for the stated purpose. But the registry metadata incorrectly lists no required env vars while SKILL.md metadata and the script rely on OPENAI_API_KEY — that inconsistency is concerning because it may mislead users into thinking no secrets are required. Also the script depends on jq for JSON escaping but neither the top-level metadata nor SKILL.md front-matter lists jq as a required binary, which can cause failures or hidden assumptions.
Persistence & Privilege
The skill does not request persistent/always-on privileges and does not modify other skills or global config. It only reads an environment variable at runtime; there is no autonomous installation behavior described.
What to consider before installing
This skill appears to be a simple wrapper around OpenAI's TTS API and will send text to api.openai.com using your OPENAI_API_KEY. Before installing: (1) verify the skill source/owner and consider using a dedicated OpenAI key with limited scope/billing; (2) ensure you have curl and jq installed (the script uses jq for JSON encoding but jq is not declared); (3) be aware the registry metadata is inconsistent — it claims no env vars are needed but the script requires OPENAI_API_KEY, so don't assume no secret will be used; (4) if you need the advertised ~/.clawdbot config behavior, confirm the script actually implements it or update the code; (5) if you don't want your API key used, do not install — the key will be sent to OpenAI whenever the script runs. If you want higher assurance, ask the publisher to correct metadata (list OPENAI_API_KEY, curl, jq) and to add explicit checks for jq and clearer handling of the alternate config file.

Like a lobster shell, security has layers — review code before you run it.

latestvk976zdjx489tqqpydymkpb5b81803gc5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔊 Clawdis
Binscurl
EnvOPENAI_API_KEY
Primary envOPENAI_API_KEY

Comments