Skillv1.0.0

ClawScan security

Clone Wizard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 7:12 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions match its stated purpose (voice-clone guidance and preview generation); it asks only for the SenseAudio API key and CLI tools it actually uses.
Guidance: This skill is coherent with its stated purpose, but consider the following before installing or using it: - Privacy: voice recordings are biometric data. Only upload recordings you control and are comfortable sharing with SenseAudio. Review senseaudio.cn's privacy policy and terms for voice cloning and retention. - API key safety: the skill needs your SENSEAUDIO_API_KEY. Keep that key secret and do not paste it into unfamiliar places. If the agent stores files or logs, the key should not be written to logs or public locations. - Files written to disk: the skill's examples write preview.json and my_voice_preview.mp3; verify where the agent stores these files and who can access them on your device or workspace. - Authenticity: the endpoints used are api.senseaudio.cn and senseaudio.cn which match the Homepage in metadata. If you obtained a different SDK or plugin, confirm it points to the official domain. - Consent & legal: cloning voices may have legal/ethical implications (consent from the recorded person). Ensure you have the right to clone the voice. If you want stronger assurance, ask the skill author for: a privacy/security statement from senseaudio.cn, or concrete details on how the agent handles temporary files and logs. Otherwise this skill appears internally consistent and proportionate to its stated function.

Review Dimensions

Purpose & Capability: okName/description, required env var (SENSEAUDIO_API_KEY), required binaries (curl, jq, xxd), and referenced endpoints (senseaudio.cn, api.senseaudio.cn) are consistent with a guided workflow that calls SenseAudio APIs for analysis and TTS preview. No unrelated services or credentials are requested.
Instruction Scope: noteSKILL.md instructs the agent to POST user audio for analysis, to call the TTS endpoint with a voice_id, and to write/read local files (preview.json, my_voice_preview.mp3). These are within the stated purpose, but they involve handling users' audio files (sensitive biometric data) and writing output to disk — the user should be aware of where files are stored and how they are shared.
Install Mechanism: okNo install spec and no code files (instruction-only) — lowest-risk install model. The skill relies on standard CLI tools (curl, jq, xxd) already declared and used in examples; nothing is downloaded from arbitrary URLs.
Credentials: okOnly a single credential (SENSEAUDIO_API_KEY) is required and is used by the example curl commands. No unrelated secrets or system config paths are requested. This is proportionate to calling the provider's API.
Persistence & Privilege: okSkill is user-invocable and not always-enabled; it does not request permanent presence or modify other skills/system settings. Autonomous invocation is allowed by default, which is normal and not by itself a concern here.