Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ressemble TTS e STT
v1.0.1Text-to-Speech and Speech-to-Text integration using Resemble AI HTTP API.
⭐ 0· 509·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Resemble TTS & STT) matches the included scripts and docs: both scripts call Resemble API endpoints for transcription and synthesis. Requiring an API key for Resemble is expected. However, the registry metadata lists no required env vars or binaries while the included .md files and scripts require RESEMBLE_API_KEY and binaries (curl, jq, base64). This metadata mismatch is inconsistent.
Instruction Scope
The SKILL.md and the two shell scripts only perform expected actions: upload an audio file for STT, poll for job status, request TTS synth, decode base64 audio to /tmp, and echo outputs. They do not try to read unrelated system files or additional environment variables. They send data to Resemble endpoints and write temporary files under /tmp, which is consistent with the stated purpose.
Install Mechanism
There is no install specification (instruction-only plus included shell scripts). That is low-risk compared with arbitrary downloads. The presence of executable shell scripts means code will run if invoked, but nothing in the repository performs remote code installation.
Credentials
The scripts and per-command metadata require RESEMBLE_API_KEY and binaries (curl, jq, base64). The registry-level metadata, however, lists no required env vars or binaries. This divergence is concerning because an omitted required credential or binary in registry metadata could cause unexpected runtime prompts or silent failures and hides that the skill needs your API key. RESEMBLE_API_KEY is the only credential the scripts use; otherwise the requested scope is proportional to the functionality.
Persistence & Privilege
The skill is not always-enabled and does not request special persistence or modify other skills. It only writes temporary output files to /tmp when synthesizing audio, which is reasonable for its function.
What to consider before installing
What to consider before installing:
- The skill will send audio and text to Resemble's endpoints and requires your RESEMBLE_API_KEY (the scripts check for it). Do not provide a production key until you review and trust the scripts.
- Registry metadata currently omits the RESEMBLE_API_KEY and required binaries (curl, jq, base64). This is likely an oversight but should be corrected — ask the publisher to declare required env vars/binaries in the registry entry.
- Review the two shell scripts yourself (they are small): they post to https://app.resemble.ai and https://f.cluster.resemble.ai, poll job status, and write synthesized MP3s to /tmp. Confirm these endpoints are the official Resemble domains you expect.
- Be aware that transcripts and audio are uploaded to a third-party service. If you handle sensitive audio, consider using a throwaway or limited-scope API key for testing and rotate the key after exposure.
- If you want higher assurance, ask the author to (a) fix the registry metadata to list RESEMBLE_API_KEY and required binaries, (b) provide provenance or homepage, and (c) explain why two different Resemble hosts are used for TTS vs STT.
Additional information that would change this assessment: explicit registry metadata declaring the env var and binaries (would raise confidence to benign), or discovery of additional undeclared credentials/endpoints (would raise severity).Like a lobster shell, security has layers — review code before you run it.
latestvk9742xww3avvd6ycyed44jc01581rds3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.