ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Voice Picker

v1.0.0

Recommend the best SenseAudio voice for any scenario or emotion. Use when users ask which voice to use — e.g. "儿童故事播客用什么音色", "电商直播带货适合哪个声音", "我需要撒娇感的女声", "有没...

0· 192·0 current·0 all-time
by@scikkk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name/description (voice recommendation) matches the SKILL.md content and the listed voice library. However the registry metadata marks SENSEAUDIO_API_KEY as a required primary credential, while the SKILL.md explicitly states "No API key needed for recommendations; optionally generates a TTS preview sample." Requiring the API key by default is disproportionate to the stated core purpose (recommendations). The required binaries (curl, jq, xxd) are consistent with the optional preview feature.
Instruction Scope
SKILL.md instructions are narrowly scoped: mapping user descriptions to voice IDs, returning 1–3 recommendations, and — only if the user asks for a preview — calling SenseAudio's TTS endpoint. The runtime steps write preview.json and preview_<VOICE_ID>.mp3 files in the working directory. The instructions do not request unrelated files, other environment variables, or external endpoints beyond api.senseaudio.cn. Note: because previews use the API key and produce files on disk, the agent will perform network I/O and local file writes when previews are requested.
Install Mechanism
No install spec and no code files are present; this is an instruction-only skill. That is low-risk from an installation perspective (nothing is downloaded or written by an installer).
!
Credentials
Only one credential appears: SENSEAUDIO_API_KEY. That credential is appropriate for the optional TTS preview, but the registry's required.env / primaryEnv listing makes it seem mandatory even though the SKILL.md says it is optional. This over-declaration could lead users or agent deployments to supply a sensitive key when it isn't needed for the primary feature (recommendations). No other unrelated credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not modify other skills or system settings. It can be invoked by the user and (by default) can be invoked autonomously by the agent (normal behavior), but there is no indication it requests elevated or persistent system privileges.
What to consider before installing
This skill appears to do what it says (map scenarios to SenseAudio voice IDs and optionally generate short TTS previews). However, the registry marks SENSEAUDIO_API_KEY as a required primary credential even though the SKILL.md says the API key is only needed for preview audio. Before installing: (1) only provide SENSEAUDIO_API_KEY if you intend to use the TTS preview feature — otherwise omit it so the agent cannot make network TTS calls; (2) ensure curl, jq, and xxd are installed if you plan to use previews; (3) be aware previews will create preview.json and preview_<VOICE_ID>.mp3 files in the agent's working directory — delete them if they contain sensitive text; (4) confirm the API key you provide is least-privileged and rotate/revoke it if you stop using the skill; (5) verify the SenseAudio homepage and API docs yourself (https://senseaudio.cn) if you need stronger assurance about data handling. The main unresolved issue is the mismatch between "required" credential metadata and the SKILL.md's assertion that the key is optional.

Like a lobster shell, security has layers — review code before you run it.

latestvk970j7sgawpmpmt20w4xrgfek582xnm8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, jq, xxd
EnvSENSEAUDIO_API_KEY
Primary envSENSEAUDIO_API_KEY

Comments