ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SiliconFlow TTS Gen

v1.0.0

Text-to-Speech using SiliconFlow API (CosyVoice2). Supports multiple voices, languages, and dialects.

0· 740·4 current·4 all-time
byMaxStormSpace@lilei0311
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, skill.json, SKILL.md and the script all target SiliconFlow TTS and only require an API key and produce audio files. The network host used (api.siliconflow.cn) is consistent with the stated service.
Instruction Scope
Runtime instructions and the script are narrowly scoped to: obtain an API key (from environment or ~/.openclaw/openclaw.json), call the SiliconFlow TTS endpoint, save an audio file, and print JSON results. The only broader action is reading ~/.openclaw/openclaw.json to auto-detect keys; this is explained in SKILL.md but could expose any keys stored there if the file is shared—script only accesses a specific providers.siliconflow.apiKey path.
Install Mechanism
No install spec that downloads external code; this is an instruction + shipped Python script. No remote installs, archive downloads, or non-standard binary placement were observed.
Credentials
The only required secret is SILICONFLOW_API_KEY (declared in SKILL.md and skill.json), which is appropriate for an API-backed TTS skill. There is a minor metadata inconsistency: the top registry summary listed 'Required env vars: none' while SKILL.md and skill.json require SILICONFLOW_API_KEY—this is a documentation/manifest mismatch to be aware of.
Persistence & Privilege
Skill does not request always:true, does not modify other skills or system settings, and only uses exec to run curl via subprocess (normal for a small CLI tool).
Assessment
This skill appears to do what it says: convert text to speech via the SiliconFlow API. Before installing, (1) verify the SiliconFlow domain (api.siliconflow.cn) and that you trust the service and its API key handling; (2) inspect ~/.openclaw/openclaw.json for other stored credentials before allowing the skill to read it, or set SILICONFLOW_API_KEY in the environment instead; (3) consider providing a scoped API key (least privilege) and monitor network use if you are concerned. Note the small manifest inconsistency about whether an env var is required—prefer the SKILL.md / skill.json guidance (SILICONFLOW_API_KEY required).

Like a lobster shell, security has layers — review code before you run it.

cosyvoicevk973ny29k3n0se54dh9gbtaw45817ph6latestvk973ny29k3n0se54dh9gbtaw45817ph6siliconflowvk973ny29k3n0se54dh9gbtaw45817ph6text-to-speechvk973ny29k3n0se54dh9gbtaw45817ph6ttsvk973ny29k3n0se54dh9gbtaw45817ph6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments