Openai Tts.Bak 2026 01 28T18:01:23+10:30
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openai-tts-bak-2026-01-28t18-01-23-10-30 Version: 1.0.0 The skill is designed to perform text-to-speech via the OpenAI API, which aligns with its stated purpose. The `scripts/speak.sh` script properly sanitizes user input for the 'text' argument using `jq -Rs .` before constructing the JSON payload, preventing injection vulnerabilities. Network calls are exclusively directed to the legitimate `https://api.openai.com/v1/audio/speech` endpoint, and the `OPENAI_API_KEY` is handled as expected for authentication. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, prompt injection attempts against the agent, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this skill can bill or use quota on the configured OpenAI account.
The script uses the user’s OpenAI API key to authenticate to OpenAI. This is expected for the stated TTS purpose, but it grants access that can consume account quota or incur costs.
-H "Authorization: Bearer $OPENAI_API_KEY"
Use an appropriate OpenAI API key, monitor usage, and avoid sharing the key in prompts, logs, or public files.
Text submitted for speech generation is transmitted to OpenAI.
The script sends the text payload to OpenAI’s external API endpoint. This is disclosed and purpose-aligned, but any text provided to the skill leaves the local environment.
curl -sS https://api.openai.com/v1/audio/speech ... -d "$json"
Do not send secrets or highly sensitive text unless that is acceptable under your OpenAI account and data-handling requirements.
The skill may fail at runtime on systems without jq installed.
The script depends on jq for JSON escaping, but the supplied requirements declare curl as the only required binary. This is not malicious, but it is an undeclared runtime dependency.
$(printf '%s' "$text" | jq -Rs .)
Declare jq as a required binary or replace its use with a dependency-free JSON escaping method.