ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Voice Cloning

v0.1.5

AI voice generation, text-to-speech, and voice synthesis via inference.sh CLI. Models: Kokoro TTS, DIA, Chatterbox, Higgs, VibeVoice for natural speech. Capa...

0· 1.4k·4 current·4 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the instructions: the SKILL.md consistently describes using the inference.sh CLI and specific TTS models for voice generation and related workflows.
!
Instruction Scope
Runtime instructions tell the agent to run a remote installer (curl | sh), run 'infsh login', and call infsh apps which will send text/audio to inference.sh and other named apps (e.g., bytedance/omnihuman-1-5). The document does not discuss what data is transmitted, where it is stored, or what credentials are required — broad network I/O and credential usage are implicit but undocumented.
!
Install Mechanism
No local code is bundled; the Quick Start pipes a remote script from https://cli.inference.sh to sh and downloads binaries from dist.inference.sh. Piping remote scripts to a shell is high-risk unless the script and checksums are audited; the installer domain is not a well-known package host and the skill provides no embedded verification steps aside from pointing to a checksums.txt.
!
Credentials
Registry metadata declares no required env vars or credentials, yet instructions call 'infsh login' (implying user credentials or tokens will be created/stored). This mismatch hides required credentials and the agent's runtime will interact with external services that may receive potentially sensitive text/audio input.
Persistence & Privilege
always is false and there are no install scripts embedded in the skill itself. The skill does not request persistent or elevated platform privileges in the metadata.
What to consider before installing
This skill appears to do what it says (voice synthesis) but requires installing and using a remote CLI (curl | sh https://cli.inference.sh) and logging into inference.sh — actions that will transmit your text/audio to an external service and will store credentials locally. Before installing, review the installer script and checksums at the referenced URLs, prefer manual download + checksum verification over piping to sh, and confirm the service's privacy/retention policy and terms of use. Avoid sending any sensitive or proprietary text/audio to the service until you trust it. If you need a lower-risk option, consider a local/offline TTS solution or a CLI from a known package registry; if you still want this skill, ask the maintainer for source code or a signed release and verify the install artifacts in a sandbox first.

Like a lobster shell, security has layers — review code before you run it.

latestvk977qp4923fnzg3487j4r883f181da8g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments