Back to skill
Skillv1.0.0
ClawScan security
Voice Picker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 14, 2026, 2:42 PM
- Verdict
- Review
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's behavior is mostly coherent, but the registry marks SENSEAUDIO_API_KEY as a required primary credential even though the SKILL.md says the API key is only optionally needed for TTS previews — that mismatch is unexplained and worth caution.
- Guidance
- This skill appears to do what it says (map scenarios to SenseAudio voice IDs and optionally generate short TTS previews). However, the registry marks SENSEAUDIO_API_KEY as a required primary credential even though the SKILL.md says the API key is only needed for preview audio. Before installing: (1) only provide SENSEAUDIO_API_KEY if you intend to use the TTS preview feature — otherwise omit it so the agent cannot make network TTS calls; (2) ensure curl, jq, and xxd are installed if you plan to use previews; (3) be aware previews will create preview.json and preview_<VOICE_ID>.mp3 files in the agent's working directory — delete them if they contain sensitive text; (4) confirm the API key you provide is least-privileged and rotate/revoke it if you stop using the skill; (5) verify the SenseAudio homepage and API docs yourself (https://senseaudio.cn) if you need stronger assurance about data handling. The main unresolved issue is the mismatch between "required" credential metadata and the SKILL.md's assertion that the key is optional.
Review Dimensions
- Purpose & Capability
- concernThe skill's name/description (voice recommendation) matches the SKILL.md content and the listed voice library. However the registry metadata marks SENSEAUDIO_API_KEY as a required primary credential, while the SKILL.md explicitly states "No API key needed for recommendations; optionally generates a TTS preview sample." Requiring the API key by default is disproportionate to the stated core purpose (recommendations). The required binaries (curl, jq, xxd) are consistent with the optional preview feature.
- Instruction Scope
- noteSKILL.md instructions are narrowly scoped: mapping user descriptions to voice IDs, returning 1–3 recommendations, and — only if the user asks for a preview — calling SenseAudio's TTS endpoint. The runtime steps write preview.json and preview_<VOICE_ID>.mp3 files in the working directory. The instructions do not request unrelated files, other environment variables, or external endpoints beyond api.senseaudio.cn. Note: because previews use the API key and produce files on disk, the agent will perform network I/O and local file writes when previews are requested.
- Install Mechanism
- okNo install spec and no code files are present; this is an instruction-only skill. That is low-risk from an installation perspective (nothing is downloaded or written by an installer).
- Credentials
- concernOnly one credential appears: SENSEAUDIO_API_KEY. That credential is appropriate for the optional TTS preview, but the registry's required.env / primaryEnv listing makes it seem mandatory even though the SKILL.md says it is optional. This over-declaration could lead users or agent deployments to supply a sensitive key when it isn't needed for the primary feature (recommendations). No other unrelated credentials are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not modify other skills or system settings. It can be invoked by the user and (by default) can be invoked autonomously by the agent (normal behavior), but there is no indication it requests elevated or persistent system privileges.