Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Dialogue Audio
v0.1.5Multi-speaker dialogue audio creation with Dia TTS. Covers speaker tags, emotion control, pacing, conversation flow, and post-production. Use for: podcasts,...
⭐ 0· 765·2 current·2 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and runtime instructions all align: the SKILL.md instructs use of the inference.sh CLI to run falai/dia-tts for multi-speaker dialogue, which is consistent with the stated purpose.
Instruction Scope
Instructions stay within the TTS/dialogue generation domain (how to tag speakers, control pacing/emotion, and example infsh commands). They do instruct the agent/user to install and run an external CLI and to run 'infsh login' (which will perform authentication), but they do not request unrelated system files or environment variables.
Install Mechanism
The Quick Start recommends piping a remote install script (curl -fsSL https://cli.inference.sh | sh) and downloading binaries from dist.inference.sh. That pattern (remote script executed directly) is high risk unless you fully trust and audit the installer; the SKILL.md claims checksum verification but does not embed a verifiable hash for the user to check before execution. The domains are not standard well-known package hosts in this manifest, and no offline/manual install alternative is provided other than links — overall this is the largest security concern.
Credentials
The skill declares no required environment variables or credentials, which is proportionate to its purpose. Note: the suggested 'infsh login' step will create/authenticate credentials for the inference.sh service (outside the skill's manifest) — that authentication is expected to use account tokens, so users should understand what permissions and data that account grants.
Persistence & Privilege
The skill does not request always:true, has no install spec that writes to system paths within the manifest, and is instruction-only. It does rely on an external CLI which will persist on disk after installation, but the skill itself does not request elevated or persistent platform privileges.
What to consider before installing
This skill appears to do what it says (generate multi‑speaker dialogue via Dia TTS), but be cautious about the install step. Avoid blindly running curl | sh from unfamiliar domains. If you want to use it: (1) inspect the install script before running it (download it with curl -fsSL https://cli.inference.sh -o install.sh and review), (2) verify binary SHA‑256 hashes manually against the published checksums.txt on the server before executing the binary, (3) consider installing in a sandbox/container or using a throwaway account for 'infsh login' so you limit potential exposure, and (4) check the inference.sh project's reputation, privacy policy, and what account scopes the login grants. If you cannot or will not verify the installer and checksums, treat the install step as high risk.Like a lobster shell, security has layers — review code before you run it.
latestvk975q8h3dtp1ewrvnng2k5szfh81dda5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.