Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Web Reader TTS
v2.0.0提取网页正文,自动检测语言,使用微软Edge TTS合成语音并通过Whisper识别,支持中英日及混合语言朗读。
⭐ 1· 70·0 current·0 all-time
byZach@phentse
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (web page → TTS → Whisper) align with the provided files and SKILL.md. The Python script and Readability.js implement the described mixed-extraction pipeline (trafilatura, Readability, newspaper3k) and call edge-tts and openai-whisper as documented. No extraneous cloud credentials or unrelated binaries are requested.
Instruction Scope
SKILL.md and web_reader_tts.py stay within the stated scope (download/parse pages with Playwright/trafilatura/newspaper, synthesize via edge-tts, transcribe with Whisper). Two notes: (1) the skill fetches and renders arbitrary webpages in Playwright (the browser will execute page JS during navigation), which is expected but means untrusted pages could execute scripts inside the headless browser context; (2) the repository includes transcript.txt containing many hacking/offensive command-line snippets — this appears to be example output/data, not active code, but users should be aware the skill will read and reproduce whatever text is present on a target URL.
Install Mechanism
No installer that pulls arbitrary code from unknown hosts is declared (instruction-only install). SKILL.md tells users to pip install standard packages and to run 'python -m playwright install chromium' — these are expected. Caveat: Playwright will download a Chromium build and Whisper may download large models on first run; these are normal but require bandwidth/disk.
Credentials
The skill requests no environment variables or credentials, which is proportional. One privacy/telemetry implication: edge-tts performs network calls to Microsoft's TTS endpoints (documented in SKILL.md). That means page content sent to Edge TTS for synthesis will leave the host machine; the skill does not request explicit API keys but does transmit content over the network for TTS. Whisper is local and model downloads are local.
Persistence & Privilege
always is false and the skill does not request elevated or persistent system privileges. It contains code that writes local output files (audio.mp3, transcript.txt) which is consistent with its purpose; no modifications to other skills or system-wide configs are present.
Assessment
This skill appears to be what it says: it fetches pages, extracts text, synthesizes audio via Microsoft Edge TTS, and transcribes with Whisper. Before installing, consider: (1) Privacy: synthesized text is sent to Microsoft’s Edge TTS service (no API key required), so avoid sending highly sensitive content you don't want transmitted off-device. (2) Resource use: Playwright will download Chromium and Whisper may download very large models (medium/large), so ensure you have bandwidth and disk space. (3) Untrusted pages: the skill will load and render arbitrary URLs in a headless browser — do not point it at internal URLs or pages containing secrets. (4) The repo includes a transcript.txt containing many offensive/malicious command examples — this is likely sample data but underscores that the skill will faithfully read whatever text it extracts. If you need stricter privacy, consider an offline/local TTS engine or review/clean content before sending it to Edge TTS.Like a lobster shell, security has layers — review code before you run it.
latestvk979bcfh602a5n22nxe9sssrk984t26h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.