ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Voice Reply

v1.0.0

語音雙模回覆技能。使用 Edge TTS (免費) 生成語音回覆,使用 Whisper 轉錄語音輸入。

0· 21·0 current·0 all-time
bygentoobreaking@openclawchen8-lgtm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Whisper for transcription, Edge TTS for synthesis) align with the declared pip and ffmpeg dependencies. However the README claims "完全免費,無需 API Key" and "離線運行", which is only true for Whisper; edge-tts relies on Microsoft/online TTS endpoints and will perform network calls. The mix of offline claim and an online TTS client is an inconsistency.
Instruction Scope
SKILL.md instructions stick to installing whisper/edge-tts and running transcription/TTS commands and sample code. They reference local files and cache paths only. They do not explicitly warn that edge-tts sends text to remote services or that large model files will be downloaded. There is a brittle, user-specific fallback path (/Users/claw/...) in the Python example.
Install Mechanism
No arbitrary downloads or extracted archives; install spec uses pip (PyPI) and brew which are standard. Installing packages from PyPI and Homebrew is normal but carries the usual supply-chain risk and will fetch code from the network.
Credentials
The skill requests no environment variables, credentials, or config paths beyond suggesting cache locations. No unnecessary secrets are requested.
Persistence & Privilege
Skill is instruction-only, no code files, not always-enabled, and does not request system-wide configuration changes or permissions. It only suggests writing cached models and generated media files to local paths.
What to consider before installing
Before installing or using this skill, consider: (1) Whisper downloads model files locally (up to ~1.5GB for larger models) — check disk space and initial network bandwidth. (2) edge-tts is an online TTS client that sends text to Microsoft/Edge TTS endpoints (so generated text/audio is transmitted off-device); if you need truly offline TTS, edge-tts is not appropriate. (3) pip and brew installations pull code from PyPI/Homebrew — review package provenance and preferably install into a virtual environment. (4) The sample Python code launches the edge-tts binary with subprocess.run; ensure the binary is from a trusted install and be aware it will execute. (5) The README contains a hardcoded macOS user path and assumes Homebrew; verify/adjust paths for your OS. (6) If privacy is a concern, test with non-sensitive content and/or review network traffic to confirm where data is sent. These issues look like sloppy documentation rather than malicious intent, but you should verify network/privacy behavior and adjust installs accordingly.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e5490zptdfcz2pzxjzcbw89844ymk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments