ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

LrshuAI Voice Clone

v1.0.0

声音克隆技能。当你需要提供一段参考音频,并生成使用该声音说话的新音频时调用此技能。

0· 84·0 current·0 all-time
bydlazyAI@lrshu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for lrshu/lrshuai-voice-clone.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "LrshuAI Voice Clone" (lrshu/lrshuai-voice-clone) from ClawHub.
Skill page: https://clawhub.ai/lrshu/lrshuai-voice-clone
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: TEAM_API_KEY
Required binaries: python
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install lrshuai-voice-clone

ClawHub CLI

Package manager switcher

npx clawhub@latest install lrshuai-voice-clone
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (voice cloning) align with the included code that accepts a reference audio/image/video and posts it to an inference API. However the script defaults to sending data to https://dlazy.com/api/ai/tool (no homepage or vendor declared), and the code supports many more generic model IDs than the SKILL.md lists. The default remote endpoint and broad model support are not documented in the skill metadata and reduce transparency.
!
Instruction Scope
SKILL.md contains a CRITICAL instruction forcing the agent to run `python script/invoke_model.py` directly (explicitly forbidding `openclaw run`). That is unusual and suspicious because it attempts to bypass the platform's standard execution wrapper. The script will read local files (images/videos/audio paths) and base64-encode/send them to the remote endpoint — behaviour consistent with voice-clone but also able to exfiltrate any file you point it at. The SKILL.md does not declare or justify why openclaw-run must be avoided.
Install Mechanism
No install spec (instruction-only with a bundled script) — low install risk because nothing is downloaded at install time. However the script depends on third-party Python packages (requests, possibly others) that are not declared or installed by the skill; running may fail or require the agent environment to have additional packages. Bundling executable script without an install step is acceptable but increases runtime dependency ambiguity.
!
Credentials
The skill requires TEAM_API_KEY (primaryEnv) which is coherent for an API-based model call. However the code also reads TEAM_BASE_URL (with a default of https://dlazy.com/api/ai/tool) but TEAM_BASE_URL is not declared in the requires.env list or metadata. An API key combined with an uncontrolled or undocumented base URL increases risk because the key may authorize requests to an external service not described by the skill. No other env vars or credentials are requested.
Persistence & Privilege
The skill does not request always:true, system-wide config changes, or access to other skills' configs. It is user-invocable and allows autonomous invocation (platform default) but does not demand permanent presence or elevated platform privileges.
What to consider before installing
This skill appears to implement voice cloning but has several red flags you should consider before installing or using it: - The script will send files (audio/images/videos) to a remote API. The default endpoint (https://dlazy.com) and the TEAM_BASE_URL env var are not documented in the skill metadata — verify the intended service and its privacy/security properties before providing your API key or any reference audio. - SKILL.md explicitly forbids running via the platform runner and demands executing the bundled Python script directly. This bypass could be an attempt to avoid platform controls; prefer skills that operate through the platform's approved invocation methods. - TEAM_BASE_URL is used but not declared; ensure the API key you supply is scoped/rotatable and do not reuse high-privilege credentials. Consider creating a throwaway or limited-scope key for testing. - The script requires Python packages (requests) that are not installed automatically; run in an isolated environment (container/VM) if you must test it. - If you need this capability, ask the publisher for a verified homepage, a canonical base URL, and a clear justification for bypassing openclaw run. If those aren't provided, treat the skill as risky and avoid sending private or sensitive audio files to it.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎙️ Clawdis
Binspython
EnvTEAM_API_KEY
Primary envTEAM_API_KEY
latestvk97304bf4yb9k0txmp7vsftdrh844852
84downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
dlazyAI@lrshu
latest
Download

Voice Clone (声音克隆)

CRITICAL INSTRUCTION FOR AGENT: 当用户要求调用 lrshuAI-voice-clone 技能时,你绝对不能使用 openclaw run。你必须直接通过系统自带的 python 命令来运行 script/invoke_model.py

支持的模型

  • Kling Audio Clone (kling-audio-clone): 可灵音色克隆模型。
  • Vidu Audio Clone (vidu-audio-clone): Vidu 音色克隆模型。

调用示例

python script/invoke_model.py --model 'kling-audio-clone' --prompt '这是克隆出来的声音,你好啊!' --audio 'path/to/reference_audio.wav'

Comments

Loading comments...