ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

voice-output

v1.0.1

Use when Tony says voice reply or asks to speak. Speaks the response aloud via Doubao TTS to MOMAX BS6.

0· 113·0 current·0 all-time
by@olddirtybikertony

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for olddirtybikertony/voice-output.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "voice-output" (olddirtybikertony/voice-output) from ClawHub.
Skill page: https://clawhub.ai/olddirtybikertony/voice-output
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install voice-output

ClawHub CLI

Package manager switcher

npx clawhub@latest install voice-output
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (speak responses via Doubao TTS to MOMAX BS6) matches the included code and docs. However, the code embeds an ACCESS_TOKEN and APPID inside the script instead of declaring/asking for credentials via environment variables as the SKILL.md/metadata imply. Embedding an external service token in distributed code is disproportionate and unexpected.
!
Instruction Scope
SKILL.md instructs calling a hard-coded user-specific path (/Users/tony/.openclaw/...), and the script assumes macOS 'afplay'. The runtime runs network calls to https://openspeech.bytedance.com/api/v1/tts and writes temporary mp3 files and a /tmp lock file. Those operations are consistent with TTS but the absolute path and OS-specific player are brittle and reveal a path- and OS-specific assumption that is not declared in metadata.
Install Mechanism
This is an instruction-only skill with a bundled Python script and no install specification. No additional packages are pulled or arbitrary download URLs used, which keeps install risk low.
!
Credentials
The package requests no environment variables, yet the script contains a hard-coded ACCESS_TOKEN (token string present) and APPID. This is inconsistent and risky: the token in the package could be leaked, abused, expired, or belong to someone else. Also, SKILL.md mentions Doubao TTS credentials but does not instruct the user to supply or rotate an ACCESS_TOKEN via env vars.
Persistence & Privilege
The skill does not request permanent system presence (always=false), does not modify other skills' configs, and only creates temporary files and a lock file under /tmp. No elevated privileges or persistent system-wide changes are requested.
What to consider before installing
This skill looks like a legitimate TTS helper but has a few issues you should consider before installing: - Hard-coded credential: The script contains an ACCESS_TOKEN string and APPID embedded in source. That token could be abused by whoever has it, may consume someone else's quota, or may be invalid. Ask the author to remove embedded secrets and require the user to provide their own token (e.g., via an environment variable) before use. If you install it, treat the embedded token as untrusted and consider rotating your own service credentials if you test it. - Data sent to external service: All text passed to this skill is transmitted to Doubao/ByteDance's TTS endpoint. Do not send sensitive, private, or regulated data through this skill unless you control the service account and have reviewed privacy/compliance. - Path and OS assumptions: SKILL.md uses an absolute user path (/Users/tony/...) and the code uses macOS 'afplay'. If you are not on macOS or your skill workspace is elsewhere, update the invocation instructions and the player command. - Recommended actions before installing: (1) Request that the maintainer replace the hard-coded ACCESS_TOKEN with a requirement to set an env var (and update SKILL.md). (2) Verify who owns the embedded token (if you must use it temporarily) and whether it should be rotated. (3) Run the script in a sandbox or isolated account first and confirm it only sends the expected TTS requests and deletes temp files. (4) If you need cross-platform playback, update the code to detect the OS and choose an appropriate player. If the maintainer cannot or will not remove the embedded token and document how credentials are set, treat this package as risky and prefer a version that requires user-supplied credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk976ndg8qyqwswbvwb3cne9k9585e14n
113downloads
0stars
2versions
Updated 3d ago
v1.0.1
MIT-0
@olddirtybikertony
latest
Download

voice-output skill

Speaks responses aloud when Tony requests voice reply.

Trigger conditions

When Tony says:

  • 「语音回复」
  • 「用话说」
  • 「voice reply」
  • 「语音」
  • Or any similar request to hear the response

How to trigger

  1. Generate the full text response
  2. Call voice_speak.py to speak it aloud:
python3 /Users/tony/.openclaw/workspace/skills/voice-output/scripts/voice_speak.py "text to speak"

Default voice

  • Model: zh_female_xiaohe_uranus_bigtts (小何)
  • TTS: Doubao TTS 2.0
  • Player: afplay (routes to MOMAX BS6)

Dependencies

  • Python3 (urllib, base64 built-in)
  • afplay (macOS built-in)
  • Doubao TTS credentials (APPID: 8982709936)

Comments

Loading comments...