ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

小米 TTS Proxy

v1.0.2

小米 TTS 代理技能。将 OpenAI TTS API 格式转换为小米大模型平台 TTS API(api.xiaomimimo.com),支持 Opus/MP3/AAC/FLAC/WAV/PCM 六种格式的本地转码。 当需要为机器人添加语音回复能力、或配置 TTS 语音合成时使用此技能。 也适用于需要搭建本地...

0· 5·0 current·0 all-time
by@doratiger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, and the included tts-proxy.mjs align: this is a local proxy that translates OpenAI-compatible TTS requests into Xiaomi's TTS API and uses FFmpeg for format conversion. Declared required binary (ffmpeg) and required config path (messages.tts) are appropriate. However, the registry metadata does NOT declare the environment variables (MIMO_TTS_BASE, MIMO_TTS_KEY, TTS_PROXY_PORT) that the script and SKILL.md require — this omission is inconsistent.
Instruction Scope
SKILL.md stays within TTS proxy scope: it instructs creating an env file under ~/.openclaw, optionally registering a systemd unit, editing OpenClaw messages.tts config, and using health and /audio/speech endpoints. It does not instruct reading unrelated system files. Minor issue: it references copying a systemd unit file (mimo-tts-proxy.service) but that file is not included in the package.
Install Mechanism
This is instruction-plus-one-script (no install spec). No third-party downloads or archive extraction are performed by the package itself, which is a low install risk. The included Node script is readable and not obfuscated.
!
Credentials
The code requires two sensitive environment values: MIMO_TTS_BASE and MIMO_TTS_KEY (and optionally TTS_PROXY_PORT). Those enable network calls to an external Xiaomi endpoint and are necessary for the skill to function. The registry metadata, however, lists no required env vars or primary credential — this mismatch is problematic because it hides the need to supply a remote-service API key and does not surface the sensitive scope in the skill manifest.
Persistence & Privilege
The skill is not always-enabled and requires explicit user action. SKILL.md recommends running the proxy as a systemd service for persistence (optional). That is reasonable for a local TTS proxy, but users should be aware that installing a systemd unit gives the service long-term network access on the host.
What to consider before installing
This skill appears to be a bona fide local TTS proxy, but exercise caution before installing: 1) The package metadata fails to declare the environment variables the script actually needs — you must provide MIMO_TTS_BASE (the Xiaomi API base URL) and MIMO_TTS_KEY (your Xiaomi API key). Those are sensitive and will be sent to the external API. 2) The SKILL.md suggests installing a systemd unit (not included) which would run the proxy persistently and allow it to send texts to the Xiaomi endpoint anytime the service is running. 3) Verify the source/trustworthiness of this skill (no homepage provided), inspect the tts-proxy.mjs file yourself (it is readable and not obfuscated), and ensure the env file (~/.openclaw/tts-proxy.env) is stored with restrictive permissions. 4) If you are concerned about privacy or lateral impact, run the proxy in an isolated environment (container or restricted network), or only use it with non-sensitive text. 5) If the registry metadata were updated to explicitly declare required env vars and a trusted homepage or repository, the incoherence concern would be resolved.
tts-proxy.mjs:70
Shell command execution detected (child_process).
tts-proxy.mjs:22
Environment variable access combined with network send.
!
tts-proxy.mjs:18
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ejy24znhz40qb7bwmtfbfh84esdf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔊 Clawdis
Binsffmpeg
Configmessages.tts

Comments