Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Xiaomi-MiMo-V2-TTS
v2.0.0小米 MiMo V2 TTS 文字转语音模型(官网目前免费)。支持中文/英文,内置情感风格(开心/悲伤/生气)、角色扮演(孙悟空/林黛玉)、方言(东北话/四川话/粤语/河南话)、语速控制及唱歌能力。mp3/opus 格式可直接发送至微信/飞书。 **配置(必需)**:在 `openclaw.json` 的 `sk...
⭐ 1· 79·0 current·0 all-time
byxiaoqi@php737
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The Python script and SKILL.md implement Xiaomi MiMo V2 TTS and call the documented API endpoint, which matches the skill's description. However, the registry metadata lists no required environment variables or config paths while both SKILL.md and the script require an API key (MIMO_API_KEY) and reference the user's openclaw.json; this metadata omission is inconsistent.
Instruction Scope
Runtime instructions and the script stay within TTS scope: install requests/ffmpeg, provide API key, call api.xiaomimimo.com, and write audio files. Minor scope issues: examples reference a hard-coded /root/.openclaw install path (incongruent with README examples), and the script will read ~/.openclaw/openclaw.json to find the API key (it loads the whole JSON), which is broader file access than declaring only an env var would imply.
Install Mechanism
No install spec is provided (instruction-only plus a local script). There are no remote downloads or extracted archives in the bundle, and dependencies are standard (requests, ffmpeg). This is low risk from an installation mechanism perspective.
Credentials
The script requires an API key (MIMO_API_KEY) but the registry metadata does not declare any required env vars — a mismatch. The script also attempts to read ~/.openclaw/openclaw.json (and will search skills.entries and a legacy tools.mimoTts path) to obtain the key; reading the user's OpenClaw config could expose other stored config values, so this behavior should be explicitly declared and justified.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is user-invocable only. It runs ad-hoc and does not demand persistent elevated platform privileges.
What to consider before installing
What to consider before installing:
- The code and docs implement TTS and will send your text and an API key to https://api.xiaomimimo.com. Only provide MIMO_API_KEY if you trust that endpoint and the skill author.
- The registry metadata did NOT declare the required MIMO_API_KEY or the openclaw.json config access — this omission is suspicious and means your agent UI may not warn you about the credential the skill needs.
- The script will attempt to read ~/.openclaw/openclaw.json to load the key (and checks a legacy path). Inspect that file first — it can contain other tokens/config — and avoid storing unrelated secrets there if you enable this skill.
- Examples reference /root/.openclaw paths; ensure the expected installation path matches your environment and that hard-coded paths won’t expose files unintentionally.
- The skill requires network access and may perform multiple retries; review the endpoint hostname and consider running the script locally in a sandbox or with a throwaway API key before enabling in production.
- Installing ffmpeg via apt Homebrew requires elevated privileges on some systems; be careful granting those.
If you want to proceed: (1) review the full scripts/tts.py source yourself (it’s included), (2) add only the minimal API key needed, (3) keep openclaw.json free of other secrets or avoid relying on that file by setting MIMO_API_KEY as an environment variable, and (4) run first in an isolated environment. If you need, I can highlight the exact lines in the script that read openclaw.json and send the API request.Like a lobster shell, security has layers — review code before you run it.
latestvk97dz6g8f5pkda2a0k2gy0r2z183sp6x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.