Telegram Offline Voice
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may submit private Telegram message text believing it is processed entirely locally.
The skill repeatedly claims offline/local privacy while also identifying Microsoft Edge-TTS as the synthesis engine. This can mislead users about whether their text leaves the local machine.
使用 Microsoft Edge-TTS 生成高质量中文语音,完全离线处理。 ... 🔒 **隐私保护**:100% 本地音频处理,不经过任何额外云端 TTS 提供商。
Revise the description to clearly disclose the Edge-TTS provider behavior, whether network access is required, and what text may be sent outside the device.
Sensitive text intended for a Telegram voice message may be exposed to the TTS provider rather than staying local.
User-supplied --text is passed directly into edge_tts for synthesis, but the artifacts do not clearly disclose the provider data boundary, retention, or privacy implications.
communicate = edge_tts.Communicate(text, voice, rate=rate)
await communicate.save(output_path)Add an explicit provider/privacy notice before use, avoid sensitive text unless the provider terms are acceptable, and consider a truly local TTS backend if offline processing is the goal.
Installing uv this way executes code fetched from the internet during setup.
The setup documentation uses a remote install script. It is user-directed and related to the stated purpose, but users should recognize the supply-chain trust involved.
curl -LsSf https://astral.sh/uv/install.sh | sh
Verify the installer source, prefer a package-manager or pinned installer where possible, and review dependency versions for production use.
Behavior could change if upstream packages publish new versions.
The inline uv script dependencies are not version-pinned, so future installs may resolve different package versions.
# dependencies = [ # "edge-tts", # "aiofiles", # ]
Pin dependency versions or provide a lockfile for more reproducible installs.
The skill runs a local ffmpeg process and writes generated media files to the selected output directory.
The script invokes ffmpeg locally to convert MP3 to OGG. This is expected for the audio-conversion purpose and uses an argument list rather than shell=True.
subprocess.run(cmd, check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
Use it only on systems where ffmpeg is trusted and keep the output directory scoped to a temporary or user-controlled location.