ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

audiobook

v0.1.0

Create audiobooks from web content or text files. Handles content fetching, text processing, and TTS conversion with automatic fallback between ElevenLabs, O...

0· 25·0 current·0 all-time
by@lnj22
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (create audiobooks from web content/text files) matches the instructions: fetching web pages, cleaning/chunking text, and calling ElevenLabs/OpenAI/gTTS for TTS. The external API calls and temporary file usage are expected for this purpose.
Instruction Scope
Instructions include running curl via subprocess to fetch arbitrary URLs, stripping HTML, writing /tmp chunk files, and posting text to external TTS endpoints. These behaviors are appropriate for the stated purpose but do involve network access, temporary file I/O, and sending potentially sensitive text to third-party TTS services — the SKILL.md does not instruct scanning local sensitive files, but the ability to fetch arbitrary URLs could reach internal resources if misused.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is written to disk by an installer. That lowers supply-chain risk. However, the code snippets assume runtime libraries (requests, gTTS, possibly others) and a Python runtime are present; the skill does not declare those dependencies.
Credentials
SKILL.md checks for ELEVENLABS_API_KEY and OPENAI_API_KEY and uses them if present, which is proportional to supporting multiple TTS providers. The skill metadata, however, lists no required env vars or primary credential — a mild inconsistency. No unrelated credentials are requested.
Persistence & Privilege
always:false and no install actions are present. The skill does not request persistent system-wide privileges or modify other skills' configuration. It writes temporary audio chunks to /tmp during operation, which is normal for this task.
Assessment
This skill appears to do what it says, but review these points before installing: (1) It will fetch arbitrary web URLs and post text to third‑party TTS APIs — avoid giving it internal/private URLs and protect any API keys you supply. (2) The SKILL.md assumes a Python runtime and libraries like requests/gTTS but the skill metadata doesn't declare dependencies; ensure your environment has the needed packages. (3) Temporary audio files are written to /tmp; check storage/cleanup policies if that matters. (4) Confirm you have permission to convert the target content into audio (copyright/terms). If you plan to supply ELEVENLABS_API_KEY or OPENAI_API_KEY, treat them as secrets and only provide them if you trust the environment executing the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a7sn7g2kcz9kk9rc3cmsf0584xrsa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments