Back to skill
Skillv1.0.1
ClawScan security
SenseAudio-TTS · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 8:11 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only helper for SenseAudio TTS that only requires a SenseAudio API key and its instructions, requirements, and artifacts align with that purpose.
- Guidance
- This skill is coherent with its stated purpose, but note that using it will cause the agent to send your text and TTS parameters to https://api.senseaudio.cn using the provided SENSEAUDIO_API_KEY. If you plan to use sensitive content, verify SenseAudio's privacy/security policies and that the API key has appropriate, limited permissions. Test first with non-sensitive text and rotate/revoke the API key if you stop using the skill. Also confirm that the homepage and API endpoints are authentic before supplying credentials.
Review Dimensions
- Purpose & Capability
- okName/description match the declared requirement (SENSEAUDIO_API_KEY) and the SKILL.md + references describe using SenseAudio HTTP/SSE/WebSocket TTS endpoints. Nothing requested (no extra env vars, binaries, or config paths) appears unrelated to TTS integration and debugging.
- Instruction Scope
- okRuntime instructions focus on constructing requests, handling SSE/WebSocket sequencing, decoding hex audio, and production hardening. The docs only reference the included references/tts.md file; they do not instruct reading unrelated files or additional environment variables or exfiltrating data to unexpected endpoints. The note to 'log session and trace identifiers' is reasonable for debugging but is a potential privacy consideration (expected for TTS debugging).
- Install Mechanism
- okNo install specification or downloadable code is present; this is instruction-only, so nothing is written to disk and there is no package install risk.
- Credentials
- okOnly SENSEAUDIO_API_KEY is required and declared as the primary credential. That matches the described API usage (Authorization: Bearer <API_KEY>) and is proportionate to the skill's purpose.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated persistence or modifications to other skills or system config. It is user-invocable and allows autonomous invocation by default (platform normal), but there is no additional privileged presence requested.