smart-tts
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward DashScope text-to-speech helper, with the main things to notice being API key use, provider data sharing, and an undeclared SDK dependency.
Before installing, confirm you are comfortable using a DashScope API key, sending the text you synthesize to DashScope, and installing the DashScope SDK from a trusted source. For batch mode, only provide files whose contents you intend to convert to speech.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the configured DashScope account and may consume quota or incur provider usage costs.
The script reads a DashScope API key from the environment and uses it for provider calls. This is expected for the TTS service, but the registry metadata does not declare a required credential.
API_KEY = os.environ.get("DASHSCOPE_API_KEY", "") ... dashscope.api_key = API_KEYUse a limited-purpose DashScope key, store it securely, and monitor provider usage.
Any text given to the skill, including batch text, may be sent to the external TTS provider.
The supplied text is passed to the DashScope speech synthesizer. This is necessary for cloud TTS, but it means the text leaves the local environment.
result = synthesizer.call(text)
Avoid sending confidential or regulated text unless the DashScope account and data handling terms are acceptable.
Users may need to install or rely on a local DashScope package that is not pinned or described by the skill metadata.
The code depends on the third-party DashScope SDK, while the provided install metadata has no install spec or declared dependency.
import dashscope from dashscope.audio.tts_v2 import SpeechSynthesizer
Install the DashScope SDK only from a trusted package source and prefer pinned, reviewed versions.