Fish Audio Speech
PassAudited by ClawScan on May 15, 2026.
Overview
This appears to be a coherent Fish Audio text-to-speech plugin, but users should understand that it sends spoken text and a Fish Audio API key to the configured provider endpoint.
Before installing, make sure you are comfortable sending TTS text and a Fish Audio API key to Fish Audio or any configured custom endpoint. Use a revocable API key, keep it in a secret or environment variable, avoid confidential speech payloads if that is not acceptable, and only use voices you are authorized to use.
Publisher note
This is a Fish Audio speech-provider plugin. It declares a sensitive API key config field but does not contain a hardcoded API key; runtime files are compiled under dist/ and included in the npm-pack artifact.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Fish Audio API key grants access to the user's Fish Audio account capabilities for TTS and voice listing.
The plugin explicitly declares that it uses a Fish Audio API key, which is expected for this provider integration.
"authMethods": ["api-key"], "envVars": ["FISH_AUDIO_API_KEY"]
Use a revocable, minimum-scope Fish Audio key and prefer environment or secret-backed configuration rather than putting the key directly in shared config files.
Text intended for speech synthesis is shared with Fish Audio, or with a custom endpoint if one is configured.
The plugin sends the text-to-speech payload and authorization header to the configured Fish Audio-compatible API endpoint.
const url = `${normalizeFishAudioBaseUrl(baseUrl)}/v1/tts`; ... headers: { Authorization: `Bearer ${apiKey}`, "Content-Type": "application/json", model }, body: JSON.stringify(body)Do not send confidential text unless you are comfortable with the provider handling it, and only configure a custom baseUrl that you trust.
Generated voice messages could sound like a real person or recognizable voice, creating social trust and consent risks if misused.
The skill supports voice cloning and community voices, which can be misused for impersonation, but the artifact includes explicit consent and authorization guidance.
Use cloned or trained voices only with appropriate rights, consent, and authorization. Do not imitate a private person, coworker, or public figure without clear authorization.
Use cloned, trained, or community voices only when you have the rights and consent to do so, especially for private people, coworkers, or public figures.