ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Audio Cog

v1.0.11

AI audio generation and text-to-speech powered by CellCog. Voiceover, narration, voice cloning, avatar voices, sound effects, music, podcasts, dialogue. Thre...

4· 4.8k·35 current·37 all-time
byCellCog@nitishgargiitd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (AI audio generation using OpenAI, ElevenLabs, MiniMax via CellCog) matches the functionality described in SKILL.md. However SKILL.md includes a metadata dependency on 'cellcog' and references multiple external providers, while the registry metadata lists no dependencies or required credentials — inconsistent declarations.
!
Instruction Scope
Runtime instructions reference the CellCog SDK, creating chats, file handling, avatar/cloned-voice uploads and use of external providers. The SKILL.md implies the agent will upload/handle audio samples and interact with multiple third-party APIs, but it does not specify where credentials come from or what endpoints receive user data. That missing detail broadens scope and risk.
Install Mechanism
Instruction-only skill (no install spec, no code files), so nothing is written to disk by an installer. This is lower install risk, but it increases reliance on runtime environment configuration which is currently underspecified.
!
Credentials
SKILL.md clearly uses OpenAI, ElevenLabs, MiniMax and a 'cellcog' SDK — all of which normally require API keys. The registry metadata declares no required environment variables or primary credential. That absence is disproportionate and ambiguous: either credentials are expected from elsewhere (not declared) or the skill would be unable to operate as described.
Persistence & Privilege
Skill does not request always:true and is user-invocable with normal autonomous invocation allowed. It does not declare system-level persistence or modifications to other skills; no elevated persistence privileges are requested.
Scan Findings in Context
[no_code_files_scanned] expected: The static scanner found no code (instruction-only SKILL.md). This is expected for an instruction-only skill, but leaves runtime behavior and credential requirements unspecified in metadata — verify manually.
What to consider before installing
Questions to ask / actions before installing: 1) Ask the publisher which credentials are required (CellCog API key? OPENAI_API_KEY? ELEVENLABS_KEY? MINIMAX key?) and why each is needed. 2) Confirm where audio and uploaded voice samples are sent/stored (cellcog.ai or third parties), retention policy, and whether data is used to train models. 3) Verify the 'cellcog' dependency — is it another OpenClaw skill, a Python package, or something installed at runtime? 4) Prefer short-lived or least-privilege keys and test in an isolated environment before granting production credentials. 5) If you need voice cloning, confirm legal/consent safeguards for uploading other people's voices. 6) If the publisher cannot clearly list required env vars/endpoints and a privacy/terms link, consider withholding installation until they provide those details.

Like a lobster shell, security has layers — review code before you run it.

latestvk9793xgg9am4pr54ama2tq1nwx84ttsz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
OSmacOS · Linux · Windows

Comments