ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Chattts

High-quality, conversational Text-to-Speech (TTS) generation via local ChatTTS API.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 13 · 1 current installs · 1 all-time installs
by@Djttt
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is a Node-based client that POSTs text to a ChatTTS FastAPI server and returns a local .wav path — this matches the stated TTS purpose and the requirement for the 'node' binary. However, the registry's 'required env vars' field contains a literal URL (http://172.23.252.114:8020) instead of an environment variable name (SKILL.md and the script expect CHATTTS_API_URL). That metadata mismatch is unexpected and likely a misconfiguration.
Instruction Scope
SKILL.md and scripts/tts.mjs limit actions to reading CHATTTS_API_URL (or using the built-in default), sending the provided text to /v1/audio/speech, and printing the generated file path. The script does not read arbitrary files or other env vars. Note: the script will send any provided text to the configured API endpoint — so the privacy/security of the input depends on where that endpoint points.
Install Mechanism
This is an instruction-only skill with a small included Node script and no install spec; nothing is downloaded or written by an installer. Risk from install mechanism is low.
!
Credentials
The declared required env var in registry metadata is a URL literal (http://172.23.252.114:8020) and primaryEnv is the same URL; this is malformed and disproportionate — expected: a single env var name (CHATTTS_API_URL). The script defaults to a private IP (172.23.252.114:8020), so by default user text will be sent to that host. While no secret keys are requested, sending arbitrary text to an unknown IP can expose sensitive content.
Persistence & Privilege
The skill is not marked always:true and doesn't request elevated persistence. It does not modify other skills or system-wide configs in the provided files.
What to consider before installing
This skill appears to be a simple Node client for a ChatTTS server and mostly behaves as described, but there are configuration inconsistencies you should resolve before installing: - Metadata issue: the registry lists a literal URL (http://172.23.252.114:8020) as a required env var and as the primary credential. That is likely a mistake; the script expects an environment variable named CHATTTS_API_URL. Ask the publisher to fix the metadata. - Default endpoint: the script defaults to a private IP (172.23.252.114:8020). Verify that this host is one you control/trust. If not, set CHATTTS_API_URL to a trusted localhost or internal server before use. - Port mismatch: the script's default port is 8020, but the error message mentions checking port 8080 — another sign of sloppy editing. Confirm which port your ChatTTS server actually uses. - Privacy: any text you pass to the skill is POSTed to the configured API. Don’t send sensitive content unless you trust the API host. Recommended actions: inspect or run the included scripts in an isolated environment; correct CHATTTS_API_URL in the skill metadata or set CHATTTS_API_URL explicitly to a known endpoint (e.g., http://127.0.0.1:8020) if you run a local server; request source/homepage or author verification if you need higher assurance. If the author fixes the metadata and confirms the endpoint is local/controlled, this would likely be coherent/benign.
scripts/tts.mjs:26
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97c1xd33rjc729w8c439wvrm183051b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎙️ Clawdis
Binsnode
Envhttp://172.23.252.114:8020
Primary envhttp://172.23.252.114:8020

SKILL.md

ChatTTS Voice Generator

AI-optimized conversational text-to-speech using a local ChatTTS server. Designed to generate highly natural human voices with realistic laughs, breathing, and pauses.

Generate Speech

node {baseDir}/scripts/tts.mjs "你要转换的语音文本"
node {baseDir}/scripts/tts.mjs "你好啊![laugh] 今天天气真不错,[uv_break] 我们出去玩吧?" --seed 2048
node {baseDir}/scripts/tts.mjs "写代码真是太开心了!" --seed 1234 --temperature 0.5

Options

  • --seed <number>: Random seed to fix the speaker's voice/timbre (default: 2048). Change this number to switch between different male/female voices.
  • --temperature <float>: Controls the emotional variance and stability (default: 0.3). Lower is more stable and clear, higher (e.g., 0.6) is more expressive but might mumble.
  • --top_p <float>: Top P sampling parameter for voice generation (default: 0.7).

Notes

  • Requires the local ChatTTS FastAPI server to be running (default target: http://172.23.252.114:8020).
  • Ensure CHATTTS_API_URL is set in your .env file if the API is hosted on a different machine.
  • PRO TIP: Always try to insert [laugh] (laughter) and [uv_break] (pauses/breaths) into the text to make the generated voice sound exactly like a real human.
  • The script will return the absolute local file path of the generated .wav audio file.

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…