ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sherpa ONNX TTS

v0.1.0

Local text-to-speech via sherpa-onnx (offline, no cloud)

0· 532·37 current·37 all-time
byDaniel Sinewe@danielsinewe
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and required env vars (SHERPA_ONNX_RUNTIME_DIR, SHERPA_ONNX_MODEL_DIR) align with an offline sherpa-onnx TTS. The declared downloads (sherpa-onnx runtime and TTS model) are consistent with the stated purpose.
!
Instruction Scope
SKILL.md instructs editing ~/.openclaw/openclaw.json and running a wrapper located in the skill folder ({baseDir}/bin/sherpa-onnx-tts). However, the skill manifest lists only SKILL.md and no wrapper or bin files — either the wrapper is missing from the package or the instructions are inaccurate. This mismatch is scope/integrity-relevant and should be clarified.
Install Mechanism
Install metadata (embedded in SKILL.md) uses direct downloads from GitHub releases and extracts tar.bz2 archives into runtime/models directories. GitHub releases are a reasonable source, but extract=true means archives will be written to disk — verify release authenticity and contents before trusting/executing binaries. Also note a registry-level claim of “no install spec” conflicts with the install entries embedded in SKILL.md.
Credentials
Only two environment variables are required, and they directly map to runtime and model locations required by sherpa-onnx. SKILL.md mentions optional vars (e.g., SHERPA_ONNX_MODEL_FILE) not listed as required — minor inconsistency but not inherently dangerous.
Persistence & Privilege
always is false and the skill does not request system-wide privileges. It asks the user to add a PATH entry and update the user's OpenClaw config (~/.openclaw/openclaw.json), which is a normal local configuration change.
What to consider before installing
Before installing: (1) Confirm where the wrapper/binary actually comes from — SKILL.md references a wrapper in the skill folder but the package contains no code; ask the author for the missing wrapper or a corrected instruction. (2) Verify the GitHub release URLs and check checksums/signatures of downloaded archives if possible; extracted runtime binaries will be executed locally. (3) Inspect the extracted runtime and model files before running to ensure they contain only the expected executables/models. (4) Only set SHERPA_ONNX_RUNTIME_DIR and SHERPA_ONNX_MODEL_DIR to paths you control; do not point them to unrelated system config or credential files. If the maintainer clarifies the missing wrapper and provides reproducible install artifacts, the package would appear coherent with its purpose.

Like a lobster shell, security has layers — review code before you run it.

audiovk976hfp4encm0c85tshghzfkhs83wrsalatestvk976hfp4encm0c85tshghzfkhs83wrsalocal-aivk976hfp4encm0c85tshghzfkhs83wrsaofflinevk976hfp4encm0c85tshghzfkhs83wrsaopenclawvk976hfp4encm0c85tshghzfkhs83wrsasherpa-onnxvk976hfp4encm0c85tshghzfkhs83wrsattsvk976hfp4encm0c85tshghzfkhs83wrsa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🗣️ Clawdis
OSmacOS · Linux · Windows
EnvSHERPA_ONNX_RUNTIME_DIR, SHERPA_ONNX_MODEL_DIR

Comments