Back to skill
Skillv1.0.2
ClawScan security
Voice Clone · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 7:51 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested binaries, Python deps, and single API key align with its stated purpose of guiding SenseAudio platform voice cloning and calling SenseAudio TTS APIs.
- Guidance
- This skill appears coherent and only needs your SenseAudio API key plus Python packages to validate audio locally and call the SenseAudio TTS endpoint. Before installing: ensure the API key you provide is scoped appropriately (use a least-privilege/rotatable key if the platform supports it), verify you trust https://senseaudio.cn and its privacy policy for handling uploaded audio, and be aware the agent will make network calls to the SenseAudio API and may transmit voice_id and input text. The pydub dependency is optional for local audio checks. If you have high-sensitivity audio, consider reviewing SenseAudio’s retention/usage policies before uploading or using cloned voices.
Review Dimensions
- Purpose & Capability
- okName/description (SenseAudio voice cloning + TTS) match the declared requirements: python3, requests, pydub, and a single SENSEAUDIO_API_KEY. None of the required binaries or env vars are unrelated to the stated functionality.
- Instruction Scope
- okSKILL.md stays within scope: it guides users to perform platform-side cloning, validates audio locally (optional), and shows POST calls to the official SenseAudio TTS endpoint using the API key in an Authorization header. It does not instruct reading unrelated system files or exfiltrating secrets; it even warns not to log API keys.
- Install Mechanism
- okInstall spec lists Python packages (requests, pydub) only. These are standard PyPI libraries and are proportionate to the task (HTTP calls and optional local audio handling). No arbitrary downloads or custom binaries are requested.
- Credentials
- okOnly SENSEAUDIO_API_KEY is required and is declared as the primary credential; that is appropriate for a skill that calls SenseAudio APIs. No unrelated secrets or multiple credential requirements are present.
- Persistence & Privilege
- okalways is false (no forced inclusion). The skill does not request system-wide changes or access to other skills' configs. Autonomous invocation is allowed by default but is not combined with elevated privileges here.