Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tts Voice Generator
v1.3.0文本转语音生成工具,支持浏览声音列表、选择声音、上传自定义音频(带文本内容)并命名保存、生成语音和查询任务状态等功能。
⭐ 0· 43·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (文本转语音) matches the code: it calls TTS endpoints, lists voices, uploads audio and submits jobs to https://www.datamass.cn/ai-back. However the skill actually requires a datamass API key stored in ~/.openclaw/config.json (and optionally a base URL) even though the manifest declares no required env vars or config paths. That mismatch between declared requirements and actual needed configuration is an incoherence the user should know about.
Instruction Scope
SKILL.md and the runtime code explicitly instruct/expect the user to place an API key in ~/.openclaw/config.json and to provide local audio file paths for upload. The code opens that config file and will read local files passed to upload functions. These behaviors are in-scope for a TTS skill, but the instructions grant the skill access to a local config file and to any local file path the user supplies — and the manifest did not advertise that. There's also some minor implementation inconsistencies (different default workflow_id values in different files) which may cause unexpected behavior.
Install Mechanism
No install spec is present (instruction-only / Python code included). The only external dependency is requests (requirements.txt). No remote binary downloads or archive extraction are used. This is low install risk.
Credentials
The code requires a datamass API key (datamass_api_key) in ~/.openclaw/config.json to call remote APIs, but the registry metadata lists no required credentials or config paths. That omission is a proportionality/information mismatch. Additionally, the skill will upload user-provided audio to a third-party service (datamass.cn) and save custom voices to that service's database — a privacy/secret-exposure risk if users upload sensitive voice samples or others' voices.
Persistence & Privilege
The skill does not request always:true and does not declare elevated platform privileges. It will communicate with external APIs and save uploaded audio on the remote service, but it does not modify other skills or system-wide agent settings. Autonomous invocation (disable-model-invocation:false) is the platform default and not flagged by itself.
What to consider before installing
Things to consider before installing:
- The skill requires an API key for datamass.cn stored in ~/.openclaw/config.json, but the registry metadata does not declare this—expect to add that file before use. Verify you are comfortable storing the API key there.
- The skill uploads local audio files you provide to https://www.datamass.cn and the service will persist custom voices. Do not upload sensitive or third-party voice recordings unless you trust that service and its privacy/terms.
- There is no homepage or source provenance in the manifest; confirm that datamass.cn is the intended backend and that you trust it before giving an API key.
- The code is largely coherent with its stated TTS purpose, but there are small implementation inconsistencies (different workflow_id values and slightly different return handling across duplicated files) — test in a sandbox first.
- If you need stricter guarantees: inspect/run the code in an isolated environment, or replace the default BASE_URL with a trusted endpoint you control. If you accept the privacy implications and provide an API key, the skill appears to perform the TTS functionality it advertises.Like a lobster shell, security has layers — review code before you run it.
latestvk975hzbys4art90mmydz01543x849twf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.