Skillv1.5.0

ClawScan security

qwenspeak · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 17, 2026, 11:09 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (SSH-based TTS) is plausible, but there are mismatches and risky instructions (undocumented required env vars, implicit use of your SSH private key, and a recommended curl|sudo bash installer) that warrant caution before installing or granting access.
Guidance: This skill is coherent with being an SSH-based TTS client, but it has several red flags you should address before using it: - It requires network access and an SSH identity: the included wrapper will call ssh tts@QWENSPEAK_HOST and therefore needs access to your SSH private key or agent. Consider creating a dedicated SSH keypair for this service and restricting that key on the server (command restrictions, limited account). - The registry metadata omits required env vars (QWENSPEAK_HOST, QWENSPEAK_PORT); treat those as required. Expect other QWENSPEAK_* settings on the server side. - references/setup.md suggests running a remote install script via curl | sudo bash. Do NOT run that as-is without reviewing the script content. Prefer to inspect the repository, clone it locally, and run only the commands you understand. Avoid piping unknown scripts to sudo. - The skill exposes put/get file operations. If you give an agent this skill plus file system access, it could upload local files to the remote host. Limit the agent's file-access scope and ensure the remote host is trusted and isolated. If you decide to proceed: review the GitHub install script before running, use a dedicated SSH key with restricted server-side permissions, host the QWENSPEAK instance on infrastructure you control or trust, and confirm that the registry metadata is updated to declare required env vars and any needed config paths.

Review Dimensions

Purpose & Capability: noteThe name/description (Qwen3-TTS over SSH) matches the included script and commands. However, registry metadata claims no required env vars while SKILL.md and scripts clearly require QWENSPEAK_HOST and QWENSPEAK_PORT and rely on SSH keys; this metadata mismatch is inconsistent and should have been declared.
Instruction Scope: concernRuntime instructions direct the agent to interact with a remote host over SSH (tts@host), upload/download arbitrary files (put/get), and create reference audio. That is coherent for a TTS client, but it implicitly requires access to the user's SSH private key(s) and network access to the target host. The setup instructions also advise appending your public key to the server's authorized_keys. The skill permits file transfers which, if misused or combined with an untrusted remote host, could exfiltrate local data.
Install Mechanism: concernThere is no formal install spec for the skill, but references/setup.md recommends running a remote installer via curl -fsSL https://raw.githubusercontent.com/psyb0t/docker-qwenspeak/main/install.sh | sudo bash. Download-and-pipe-to-sudo is high-risk: it writes files, manages authorized_keys, and installs a system command. The URL is a raw GitHub URL (better than an unknown personal server) but running arbitrary remote scripts as root should be reviewed manually before execution.
Credentials: concernAlthough the registry lists no required env vars, the SKILL.md and scripts require QWENSPEAK_HOST and QWENSPEAK_PORT; the setup references many QWENSPEAK_* env vars and persistence to ~/.qwenspeak/. The skill also implicitly requires the user's SSH private key (e.g., ~/.ssh) to authenticate to the remote service. Sensitive accesses (private keys, potential SSH agent use) are not declared in the registry metadata.
Persistence & Privilege: okThe skill does not request always:true and does not appear to modify other skills or global agent configuration. It is user-invocable and allows autonomous invocation (the platform default), which is expected for skills.