Openai Tts.Bak 2026 01 28T18:01:23+10:30
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is a straightforward OpenAI text-to-speech wrapper, with expected API-key and external-service use, plus a small undeclared dependency issue.
This skill appears coherent and purpose-aligned. Before installing, make sure you are comfortable sending the text you provide to OpenAI, using an OpenAI API key that may incur charges, and installing or having jq available even though only curl is declared.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this skill can bill or use quota on the configured OpenAI account.
The script uses the user’s OpenAI API key to authenticate to OpenAI. This is expected for the stated TTS purpose, but it grants access that can consume account quota or incur costs.
-H "Authorization: Bearer $OPENAI_API_KEY"
Use an appropriate OpenAI API key, monitor usage, and avoid sharing the key in prompts, logs, or public files.
Text submitted for speech generation is transmitted to OpenAI.
The script sends the text payload to OpenAI’s external API endpoint. This is disclosed and purpose-aligned, but any text provided to the skill leaves the local environment.
curl -sS https://api.openai.com/v1/audio/speech ... -d "$json"
Do not send secrets or highly sensitive text unless that is acceptable under your OpenAI account and data-handling requirements.
The skill may fail at runtime on systems without jq installed.
The script depends on jq for JSON escaping, but the supplied requirements declare curl as the only required binary. This is not malicious, but it is an undeclared runtime dependency.
$(printf '%s' "$text" | jq -Rs .)
Declare jq as a required binary or replace its use with a dependency-free JSON escaping method.