ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Windows TTS (WSL2)

v1.1.1

在 Windows 11 上"直接发声"的 TTS(从 WSL2/TUI 调用 powershell.exe + System.Speech)。适用于用户说"说出来/读出来/语音播报/用TTS",或反馈"没声音/tts 生成的 mp3 是空的/播不出来",以及需要中文语音但 OpenClaw 内置 tts 不可用时。

0· 768·0 current·0 all-time
by@547895019
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, SKILL.md and the two scripts all consistently implement 'call Windows System.Speech from WSL' to play audio on the Windows default device. The functionality and required actions are proportional to the stated purpose.
!
Instruction Scope
The runtime instructions and scripts execute powershell.exe on the Windows host (expected for this skill). However, user-provided TEXT is embedded into a PowerShell double‑quoted string (\$s.Speak("$TEXT_ESC");) without escaping PowerShell variable/subexpression syntax ($, $(), ${}, etc.). That allows an input containing $var or $(...) to be interpreted by PowerShell and run arbitrary code on Windows. The SKILL.md mentions escaping $ to avoid bash expansion (a different issue) but does not warn about or mitigate PowerShell interpolation risk.
Install Mechanism
No install spec or external downloads; the skill is instruction + small scripts only. That is low-risk from install/source code perspective.
Credentials
The skill declares no env/credentials (correct). It implicitly requires a WSL environment with access to powershell.exe (i.e., Windows host), which the SKILL.md documents, but the registry metadata does not list an OS restriction—minor mismatch to be aware of.
Persistence & Privilege
always:false and no persistent installation or cross-skill config changes. The skill runs commands at invocation only; autonomous invocation remains platform default and is not by itself a new risk here.
What to consider before installing
This skill is coherent and will play speech through Windows as advertised, but it currently treats the text you ask it to speak as a PowerShell double‑quoted string and does not neutralize PowerShell variable or subexpression syntax. That means a crafted message (e.g., containing $env:..., $(...), etc.) could cause PowerShell to evaluate code on your Windows host. Before installing/use: (1) Only run this skill in trusted environments and avoid feeding untrusted text to it. (2) Prefer a patched version of say.sh that safely passes the text to PowerShell (for example: use single-quoted here-strings or -EncodedCommand, or otherwise escape/encode $ and $( ) so no interpolation happens). (3) If you want to proceed comfortably, ask the maintainer to fix the script to treat text as a literal string (e.g., use $s.Speak(@'... '@) or use powershell -EncodedCommand with base64), and add an explicit OS requirement for WSL/Windows in the metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk9745w0fcsc7p4at69aed19r6x817440
768downloads
0stars
3versions
Updated 6h ago
v1.1.1
MIT-0
@547895019
latest
Download

Windows TTS (WSL2)

Use Windows built-in TTS via powershell.exe so audio plays through the Windows 默认输出设备(无需 WSLg/PulseAudio)。

什么时候用这个 skill(触发提示)

当用户出现以下表达时,优先用本 skill,而不是 OpenClaw 内置 tts(后者可能生成空 mp3 或在某些环境无声):

  • "说出来 / 读出来 / 念一下 / 语音播报 / 用 TTS"
  • "还没声音 / 没声音 / 播不出来"
  • "中文语音"且希望直接从电脑扬声器播放

注意:本 skill 是"直接播放",不会返回音频文件路径。

Quick start(直接说出来)

Run from WSL:

bash {baseDir}/scripts/say.sh "你好,我是你的助手。"

List installed voices

bash {baseDir}/scripts/list_voices.sh

Speak with a specific voice

bash {baseDir}/scripts/say.sh --voice "VOICE_NAME" "你好,我以后会用这个声音说话。"

Notes

  • If you embed PowerShell directly in bash, remember: escape $ or use outer single quotes; otherwise bash expands $s and breaks the command.
  • If the user reports errors like =New-Object or TypeName: prompts, prefer the provided scripts instead of ad-hoc quoting.

Comments

Loading comments...