ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Piper TTS

v1.0.1

Local text-to-speech using Piper for voice message delivery. Use when the user asks for voice responses, audio messages, TTS, text-to-speech, voice notes, or...

0· 770·1 current·1 all-time
by@bewareofddog
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (local Piper TTS) match the included scripts and README: setup installs piper-tts and downloads voice ONNX files; speak script generates WAV via python -m piper and converts to MP3. No unrelated capabilities or credentials are requested.
Instruction Scope
SKILL.md and scripts keep to TTS: they read PIPER_VOICES_DIR, HOME and TMPDIR (reasonable), call python3 -m piper, ffmpeg, and output an MP3 path. They do not read unrelated system files or send data to unexpected endpoints; voice downloads go to HuggingFace repo.
Install Mechanism
There is no formal install spec (instruction-only). setup-piper.sh installs piper-tts via pip and may install ffmpeg via brew or apt-get (sudo). It downloads model files with curl from huggingface.co (official repo). This is expected but carries normal risks of executing pip/apt and downloading binaries; running in a controlled environment is recommended.
Credentials
The skill requests no credentials or secret env vars. It optionally respects PIPER_VOICES_DIR and TMPDIR (standard local config). No excessive or unrelated environment access is requested.
Persistence & Privilege
always:false and model invocation is normal. The scripts install tools/packages but do not modify other skills or system agent configs. The only elevated action is apt-get which may require sudo during setup — expected for installing ffmpeg on Linux.
Assessment
This skill appears to do what it says: local TTS using Piper and downloaded voice models from HuggingFace. Before running setup-piper.sh, consider: 1) the setup script will run pip3 install (piper-tts) and may run sudo apt-get install ffmpeg — run these commands in a virtualenv or on a machine where you trust installing packages. 2) the voice files are downloaded from https://huggingface.co/rhasspy/piper-voices which is the expected source, but downloads and pip installs execute remote code — review or run in an isolated environment if you have concerns. 3) voices are written to ~/ .local/share/piper-voices (or PIPER_VOICES_DIR if set); no secrets are requested. If you want minimal risk, run setup manually and inspect outputs before enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk9777nsajbcf8bf5s3tfn981d981nz79

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments