ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pi Speaker

v1.0.1

Play TTS or audio on the Raspberry Pi (or gateway host) default speaker. Use when the user asks for an announcement, alarm, news summary, or "say X on the Pi...

0· 236·1 current·1 all-time
byPanda@nobloodontheleaves
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description ask to play local audio on the gateway host; the skill only requires paplay or pw-play and includes a small playback helper script that runs those binaries. These requirements match the stated purpose.
Instruction Scope
SKILL.md straightforwardly instructs the agent to generate TTS (using the platform's tts tool) then invoke exec/bash to call paplay/pw-play (or the included script) on the host path. It does not ask the agent to read unrelated files, access secrets, or contact external endpoints.
Install Mechanism
No install spec; script is included but nothing is auto-downloaded or executed during install. No network fetches or archive extraction are defined.
Credentials
No environment variables or credentials are requested. The binaries required (paplay/pw-play) are appropriate and proportional to playing audio.
Persistence & Privilege
Skill is not set to always: true and does not request persistent system changes or modify other skills. It simply instructs running a playback command on demand.
Assessment
This skill appears to do only what it says: generate or receive a path to an audio file and play it on the gateway host using paplay or pw-play (or the included helper script). Before enabling, verify that the gateway host actually has PulseAudio/PipeWire and the desired default sink set (Bluetooth speaker connected). Remember the agent will execute a host command (exec/bash) to play files — only enable this skill on hosts you trust. There are no required credentials and no external downloads, so there is low risk of hidden network exfiltration, but avoid running it on sensitive multi-user machines if you do not want arbitrary audible playback.

Like a lobster shell, security has layers — review code before you run it.

latestvk974bh8bdgz1rv5eqb7ytm0b3s82gh2a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔊 Clawdis
Any binpaplay, pw-play

Comments