ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

smart-voice-reply

v1.0.1

用于语音回复和回复语音音色配置。Invoke when: (1) 用户需要进行语音回复 (2) 用户要求配置或创建新的音色 (3) 用户询问音色相关功能。

0· 109·1 current·1 all-time
bydumpling_zzz@slbqc

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for slbqc/smart-voice-reply.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "smart-voice-reply" (slbqc/smart-voice-reply) from ClawHub.
Skill page: https://clawhub.ai/slbqc/smart-voice-reply
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: DASHSCOPE_API_KEY
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install smart-voice-reply

ClawHub CLI

Package manager switcher

npx clawhub@latest install smart-voice-reply
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The declared primary credential (DASHSCOPE_API_KEY) and the included tts_cli.js that calls a Dashscope TTS endpoint are coherent with a voice/TTS skill. However the skill's docs/instructions instruct the agent to call 'skill-create' to create the skill if missing and to add persistent directives into the agent's USER.md to force voice replies — actions that are not necessary for a simple TTS runtime and indicate scope/persistence beyond the stated purpose. Also the CLI invokes 'ffmpeg' to transcode audio and the SKILL metadata does not declare required binaries (ffmpeg, openclaw CLI), which is an inconsistency.
!
Instruction Scope
SKILL.md and docs direct the agent to: run scripts/tts_cli.js, send media via 'openclaw message send', and—critically—modify the agent's USER.md (add preset scenarios and a directive to always load this skill and always return voice). The install doc explicitly tells the agent to call skill-create to create the skill and to inject configuration into USER.md. Instructing the agent to persistently change its configuration is scope creep and grants ongoing control over agent behavior.
Install Mechanism
No install spec (instruction-only) — low install risk because nothing is automatically downloaded or extracted. The package includes a local Node CLI script (scripts/tts_cli.js) rather than a fetched binary.
Credentials
Only one environment variable is required (DASHSCOPE_API_KEY), which matches the TTS API used in the code. That single-credential request is proportionate. Recommend confirming the API key's scope/permissions before providing it (e.g., whether it can access account data or other services).
!
Persistence & Privilege
Although always:false, the docs explicitly instruct the agent to modify USER.md so the agent will 'on dialogue start load smart-voice-reply' and 'on every reply return voice'. This effectively enforces persistent behavior without using the platform's proper 'always' flag and gives the skill indirect permanent influence over agent responses. The instruction to call 'skill-create' to create the skill if missing also asks the agent to change its own skillset.
What to consider before installing
This skill implements TTS against a Dashscope endpoint and legitimately needs a DASHSCOPE_API_KEY, but several things don't add up and you should be careful before installing: - Persistence warning: The docs tell the agent to edit its USER.md to always load and always reply with voice, and to auto-create the skill if missing. That changes the agent's persistent behavior; avoid allowing automatic modification of USER.md or automatic skill-creation unless you trust the author and have reviewed the exact text being injected. - Missing binary declarations: The included CLI calls external binaries (ffmpeg for transcoding and the 'openclaw' CLI to send messages) but the skill metadata does not declare these as required. Ensure ffmpeg and the OpenClaw CLI are installed from trusted sources and understand that the skill will attempt to execute them. - API key safety: Only provide DASHSCOPE_API_KEY if you trust the Dashscope endpoint and the key's permissions. Consider creating a limited-scope key, and be prepared to rotate/revoke it if needed. Verify the endpoint (dashscope.aliyuncs.com) is expected for your environment. - Data/privacy: Audio/text sent to the TTS API will leave your environment. If replies might include sensitive content, review privacy/retention policies of the TTS provider. - Mitigations: Ask the author to remove instructions that auto-edit USER.md and to rely on normal installation/permission flows; require a prompt/consent before any persistent changes; update SKILL.md to list required binaries (ffmpeg, openclaw) and to clearly describe what 'skill-create' does. If you still want to test it, run in a sandboxed agent instance with a limited API key and refuse or review any automatic writes to persistent agent files.
scripts/tts_cli.js:118
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

EnvDASHSCOPE_API_KEY
Primary envDASHSCOPE_API_KEY
latestvk976453jtj2b3cs99g8eqrkps1841b2m
109downloads
0stars
2versions
Updated 3w ago
v1.0.1
MIT-0
dumpling_zzz@slbqc
latest
Download

Smart Voice Reply

语音回复

这个技能用于需要不同音色的语音对话 每次执行时:

  1. 确定使用场景:办公场景 / 个人场景 / 自定义场景
  2. 匹配音色:根据场景和情绪选择合适音色
  3. 调用 cli.js 合成语音:将文字转换为语音
  4. 调用 openclaw message send 发送语音:将语音发送给用户

cli调用

scripts/tts_cli.js --text "<reply_text>" --voice <voice> --instructions "<instructions>" --output-dir <output_dir> [--optimize-instructions]

参数介绍:

  • --text 必填,待合成文本
  • --voice 必填,音色名称(见 docs/音色指令创建指导.md 中的可用音色ID表)
  • --instructions 必填,音色调整指令内容
  • --output-dir 必填,输出目录路径(建议存在 workspace/media/voice-tmp目录下)
  • --optimize-instructions 可选,是否优化指令(默认 true)

返回生成好的语音文件的路径

openclaw message send使用

注意 使用openclaw message 发送成功消息后,不要对用户返回语音已发送成功的消息

openclaw message send --target <user_id> --media <voice_file_path>

音色配置

用于根据用户需求配置不同的回复语音音色 音色配置所需的完整内容(包括可用音色ID列表、音色指令编写维度、预设场景示例、用户自定义音色格式)请参考: docs/音色指令创建指导.md 该文档包含:

  • 如何编写高质量的声音描述(核心原则、描述维度参考)
  • 可用的音色ID列表(25种音色)
  • 音色指令示例(声学属性控制、年龄控制、渐变控制、拟人感)
  • 预设场景示例
  • 用户自定义音色添加方式

setup

读取 docs/技能安装配置指导.md

Comments

Loading comments...