smart-tts
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the configured DashScope account and may consume quota or incur provider usage costs.
The script reads a DashScope API key from the environment and uses it for provider calls. This is expected for the TTS service, but the registry metadata does not declare a required credential.
API_KEY = os.environ.get("DASHSCOPE_API_KEY", "") ... dashscope.api_key = API_KEYUse a limited-purpose DashScope key, store it securely, and monitor provider usage.
Any text given to the skill, including batch text, may be sent to the external TTS provider.
The supplied text is passed to the DashScope speech synthesizer. This is necessary for cloud TTS, but it means the text leaves the local environment.
result = synthesizer.call(text)
Avoid sending confidential or regulated text unless the DashScope account and data handling terms are acceptable.
Users may need to install or rely on a local DashScope package that is not pinned or described by the skill metadata.
The code depends on the third-party DashScope SDK, while the provided install metadata has no install spec or declared dependency.
import dashscope from dashscope.audio.tts_v2 import SpeechSynthesizer
Install the DashScope SDK only from a trusted package source and prefer pinned, reviewed versions.