ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Edge Tts Cantonese

v1.0.0

Generate Cantonese TTS audio in OGG format using Microsoft Edge TTS for voice replies on WhatsApp and Telegram with adjustable tone styles.

0· 52·1 current·1 all-time
byGabriel@skglau
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description claim Microsoft Edge TTS output in OGG, which is coherent with a TTS skill. However the SKILL.md expects pre-existing, undocumented scripts at /home/gabriel/.openclaw/workspace/scripts/edge-tts-voice-ogg.sh and edge-tts-telegram.sh. The skill package provides no install, no scripts, and no explanation of required binaries or auth, so it cannot function as-is and is incoherent about its dependencies.
!
Instruction Scope
Instructions explicitly instruct the agent (or operator) to run absolute-path shell scripts in a specific user's home directory. That directs the agent to execute local code that is not included with the skill and could perform arbitrary actions or read arbitrary files. The SKILL.md also omits any guidance on how Edge TTS is invoked or authenticated, leaving the agent broad discretion.
Install Mechanism
There is no install spec (instruction-only), which minimizes direct install risk. However, the skill depends on external scripts that are not provided. Because no code is bundled, the static scan found nothing, but the absence means you must trust external scripts already present on the host.
Credentials
The skill requests no environment variables or credentials, which is proportionate. That said, it also provides no guidance about whether Microsoft Edge TTS requires network access or auth tokens in the deploy environment, so missing credential instructions reduce clarity (not necessarily malicious, but incomplete).
Persistence & Privilege
The skill does not request always:true and is user-invocable; it does not claim to modify system-wide agent settings. There is no indication it attempts to persist itself as a privileged skill.
What to consider before installing
Do not run or allow this skill to invoke the hard-coded scripts referenced in SKILL.md until you verify them. Ask the author to provide the missing scripts or an install spec, or change examples to relative/templated paths. Inspect any edge-tts-*.sh scripts for network calls, credential access, or file reads/writes before execution. Confirm whether Microsoft Edge TTS requires authentication or network access and ensure any tokens would be supplied intentionally. If you cannot review the external scripts, decline or isolate the skill (run in a sandbox) — the current instructions are incomplete and could execute arbitrary local code.

Like a lobster shell, security has layers — review code before you run it.

latestvk977zbpywh90paav0c5tehbe3183kgbv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments