ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

LH Edge TTS

v1.0.0

Text-to-speech conversion using Python edge-tts for generating audio from text. Supports multiple voices, languages, speed adjustment, pitch control, and sub...

0· 736·5 current·5 all-time
by@liuhedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim Microsoft Edge neural TTS via Python edge-tts; included scripts and install.sh explicitly use edge-tts and provide voice/rate/pitch/subtitle features—requirements are proportional to the described TTS functionality.
Instruction Scope
SKILL.md and the scripts confine behavior to converting text to audio, listing voices, and managing a local config. Instructions reference only the built-in tts tool, the included scripts, and the edge-tts service. No instructions ask the agent to read unrelated system files or exfiltrate data.
Install Mechanism
Installation is a simple pip install edge-tts invoked by install.sh and documented in SKILL.md; this is an expected, low-risk install method for a Python-based TTS wrapper.
Credentials
The skill requests no environment variables or credentials. It stores user preferences in ~/.tts-config.json and writes temporary audio files to a temp directory—both are reasonable for this feature. The proxy option is user-controlled (not required).
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and only persists its own config in the user's home directory. It runs on-demand and does not demand elevated/system-wide privileges.
Assessment
This skill appears to be what it claims: a thin wrapper around the edge-tts library. Things to consider before installing: (1) text you convert is sent to Microsoft Edge's online TTS service (no API key required), so avoid sending sensitive PII if you need it kept private; (2) the skill writes a config file (~/.tts-config.json) and temporary audio files to the system temp directory—clean up if you want no persistent artifacts; (3) the proxy option can route requests through a custom endpoint only if you supply it—do not point it to unknown or untrusted proxies. If you need stronger privacy guarantees, test with non-sensitive text or inspect network activity before broad use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eawg59r8z1411a43cxbjgq982959z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments