Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Telegram Offline Voice
v0.1.3本地生成 Telegram 语音消息,支持自动清洗、分段与临时文件管理。
⭐ 2· 3.4k·17 current·17 all-time
bysanwe@sanwecn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description promise: local, offline TTS. Implementation: uses the Python package edge_tts (declared in the script header comments and imported in code). edge_tts typically requests audio from Microsoft TTS endpoints (i.e., network calls), so the claim of being fully offline and zero-token may be false or misleading. Other requirements (ffmpeg, Python, optional uv) match the stated purpose.
Instruction Scope
SKILL.md and the script keep scope to converting provided text -> temporary mp3 -> final ogg and printing file paths. The script only reads the supplied --text and writes temp files under outdir (/tmp by default). No instructions to read unrelated files or environment variables. However, runtime will transitively call edge_tts which may make network requests to Microsoft endpoints — the SKILL.md asserts local-only processing but does not document or justify any network usage.
Install Mechanism
No formal install spec (instruction-only), which is lower risk. SKILL.md recommends installing uv with curl | sh from https://astral.sh/ (third-party installer); piping remote scripts to sh is higher risk and should be treated cautiously. The script lists Python dependencies (edge-tts, aiofiles) in header comments but does not provide explicit pip install steps — user must install these. No arbitrary binary downloads or obscure URLs in included files beyond the uv installer suggestion.
Credentials
The skill requests no environment variables or credentials. The script operates entirely on supplied text and local temp files; there are no demanded tokens, keys, or config path access. This is proportionate to its stated functionality — except for the unresolved offline claim noted above.
Persistence & Privilege
The skill is user-invocable only (always: false) and does not request persistent agent-wide privileges or modify other skills. It does not persist credentials or change system-wide settings.
What to consider before installing
This skill is mostly coherent: it converts text to OGG via edge_tts and ffmpeg and manages temp files correctly. However, the author repeatedly claims "100% local / zero token" while importing and using edge_tts — that library typically obtains TTS audio from Microsoft services (network calls), so the skill may not be truly offline. Before installing or running: 1) Verify edge_tts behavior in your environment (check its docs or run it in a sandbox) to confirm whether audio is generated locally or fetched from the network. 2) If you require strict offline operation, consider replacing edge_tts with a known local TTS engine (Coqui/tts, local OpenTTS endpoint, or local Edge browser invocation) or explicitly audit network traffic. 3) Avoid running curl | sh blindly — the uv install script is optional; prefer installing known packages from distro repos or inspecting the installer first. 4) Run the script in an isolated environment first (container or VM), monitor outbound connections (tcpdump/strace) and review installed Python dependencies (pip show edge-tts) to ensure no unexpected exfiltration. If you cannot confirm edge_tts is purely local, treat the offline claim as inaccurate and proceed with caution.Like a lobster shell, security has layers — review code before you run it.
latestvk97akhnxk1z3h82wr96j1rebvh80pw61
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎙️ Clawdis
OSLinux
Binsffmpeg, uv