Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
minimax-speech
v1.0.0MiniMax 语音合成技能 - 支持同步/异步文本转语音(T2S)、音色克隆(Voice Clone)、音色设计(Voice Design)、音色查询与删除。使用模型 speech-2.8-hd,输出 mp3/wav/pcm 格式音频文件到本地。
⭐ 0· 51·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's code and SKILL.md implement TTS, voice cloning, voice design, list/get/delete voice operations using a MiniMax HTTP API — that matches the described purpose. However, the registry metadata lists no required environment variables or dependencies, while both SKILL.md and scripts/speech.py require MINIMAX_API_KEY (and optionally MINIMAX_REGION) and the Python 'requests' library. The missing manifest declarations and unknown source/homepage are an incoherence and reduce traceability.
Instruction Scope
Runtime instructions and the script stay within the stated purpose: they call MiniMax API endpoints, write output audio files locally, and read reference audio files for cloning. The SKILL.md does instruct providing MINIMAX_API_KEY and MINIMAX_REGION (which is consistent with the code). There are no instructions to read unrelated user files or system secrets beyond the API key or to send data to unexpected endpoints. Note: cloning uploads base64-encoded audio to the third-party API (privacy/legal implication).
Install Mechanism
This is instruction-only with a bundled Python script (no install spec). That is lower risk, but the script depends on the 'requests' package which is not declared in metadata. There is no automated installer; users will need to ensure Python and requests are present. No arbitrary downloads or extract/install steps are present.
Credentials
The functionality legitimately requires a MINIMAX_API_KEY and optionally MINIMAX_REGION; these are referenced in SKILL.md and enforced by the code. However the registry metadata claims 'Required env vars: none', which is inconsistent and misleading. No other credentials are requested. The script reads local audio files when cloning (expected) and writes output files — this is proportional but users should be aware that audio data is uploaded to the remote service.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system configurations, and does not persist credentials itself. Autonomous invocation is allowed by default (normal), but there is no elevated persistence or privileged behavior in the package.
What to consider before installing
This package appears to implement the advertised TTS and voice-clone features, but the manifest is incomplete and the source/origin is unknown. Before installing: 1) Do not use a production/broadly-permissioned API key — create a restricted/test key or billing limits. 2) Verify the API domains (api.minimaxi.com / minimax.io) and the provider's legitimacy; ask the author for a homepage or repository. 3) Ensure Python and the 'requests' library are available; the manifest should declare this dependency. 4) Understand privacy: cloning uploads your reference audio (potentially sensitive) to a third-party service — get consent from speakers. 5) Prefer running first in an isolated environment (container or VM) to observe network traffic and behavior. 6) Ask the publisher to correct the registry metadata to declare MINIMAX_API_KEY and MINIMAX_REGION and to provide verifiable source code hosting; absence of these is the main reason this skill is flagged as suspicious.Like a lobster shell, security has layers — review code before you run it.
latestvk979bsmevp04jsy5n3ktfn4pbx83jjyc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.