Back to skill
Skillv1.0.0
ClawScan security
Audiobook · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 12:31 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are coherent for a TTS/audiobook generator, but there are small metadata inconsistencies and privacy considerations you should review before use.
- Guidance
- This skill appears to do what it says: it parses text and sends chunks to SenseAudio to generate audio. Before installing, verify and be comfortable with these points: (1) You must provide a SenseAudio API key — confirm the exact environment variable name expected (SKILL.md indicates API_KEY / SENSEAUDIO_API_KEY). (2) Using the skill will upload full book text to a third-party service (api.senseaudio.cn); do not send copyrighted, confidential, or sensitive text unless you have rights and trust the service. (3) The SKILL.md uses Python + requests for examples but the skill does not install dependencies — ensure your environment has the needed runtime/libraries. (4) If you need stronger assurances, ask the publisher to correct the registry metadata to list the required env var and to document data retention/privacy for uploaded text. If any of these items worry you, test with non-sensitive sample text first.
Review Dimensions
- Purpose & Capability
- okThe name and description match the runtime instructions: the SKILL.md shows parsing text, chunking, and calling a SenseAudio TTS API to produce chaptered audio. Requiring a SenseAudio API key is appropriate for this purpose. One inconsistency: the registry metadata at the top reported no required env vars, while SKILL.md declares a required credential (SENSEAUDIO_API_KEY / env_var API_KEY).
- Instruction Scope
- noteRuntime instructions are limited to parsing text, chunking it, calling the SenseAudio API, decoding returned audio, and writing audio files — all consistent with audiobook generation. Important operational scope: the skill will send full user text (entire chapters/books) to a third-party API (api.senseaudio.cn). There are no instructions that access unrelated system files, other credentials, or exfiltrate data elsewhere.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no bundled code files, so nothing is downloaded or installed by the skill itself. The SKILL.md includes Python examples that assume standard libraries (and requests), but the skill does not declare or install those dependencies.
- Credentials
- concernThe SKILL.md correctly requires an API key for SenseAudio (Authorization header uses API_KEY). However, the registry metadata did not list required environment variables, creating a mismatch. The single credential requested (SenseAudio API key) is proportionate to the stated purpose, but confirm which env var name the agent expects (SKILL.md maps SENSEAUDIO_API_KEY -> API_KEY).
- Persistence & Privilege
- okThe skill does not request always: true and does not declare elevated or persistent privileges. It is user-invocable and can be autonomously invoked by the agent (platform default), which is expected for skills of this type.