Quick TTS

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill mostly matches its text-to-speech purpose, but its shell-based API template appears to place user-provided text directly into a command without clear escaping guidance.

Review this skill before installing. It appears to perform the advertised TTS task, but it should be updated to construct API JSON safely rather than directly interpolating text into a shell command. Use a limited SenseAudio API key and avoid submitting sensitive text unless you trust the provider's handling of it.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

If pasted text contains quotes or shell-significant characters and the agent substitutes it directly, the request may fail or unintended local shell commands could run.

Why it was flagged

The operational API call places the user-provided text placeholder inside a shell-quoted JSON body, but the skill does not instruct the agent to safely JSON-escape or shell-escape that text before execution.

Skill content

curl -s -X POST https://api.senseaudio.cn/v1/t2a_v2 ... -d '{ ... "text": "<TEXT>", ... }' -o response.json

Recommendation

Build the JSON payload safely, for example with jq --arg or a temporary JSON file, and avoid direct string interpolation of user text into shell commands.

Low

#ASI03: Identity and Privilege Abuse

What this means

The agent can make SenseAudio API calls using the user's key, which may consume quota or incur provider-side usage.

Why it was flagged

The skill requires a SenseAudio API key and uses it as a bearer token when calling the provider API.

Skill content

SENSEAUDIO_API_KEY ... Authorization: Bearer $SENSEAUDIO_API_KEY

Recommendation

Use a revocable, provider-scoped API key and monitor usage; do not place unrelated credentials in this environment variable.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Any text submitted for speech synthesis is shared with the SenseAudio service.

Why it was flagged

The skill sends the user's text to the external SenseAudio API to synthesize audio, which is expected for the feature and is clearly shown.

Skill content

curl -s -X POST https://api.senseaudio.cn/v1/t2a_v2 ... "text": "<TEXT>"

Recommendation

Avoid using the skill for private or regulated text unless SenseAudio's data handling terms are acceptable.