smart-voice-reply

This skill implements TTS against a Dashscope endpoint and legitimately needs a DASHSCOPE_API_KEY, but several things don't add up and you should be careful before installing: - Persistence warning: The docs tell the agent to edit its USER.md to always load and always reply with voice, and to auto-create the skill if missing. That changes the agent's persistent behavior; avoid allowing automatic modification of USER.md or automatic skill-creation unless you trust the author and have reviewed the exact text being injected. - Missing binary declarations: The included CLI calls external binaries (ffmpeg for transcoding and the 'openclaw' CLI to send messages) but the skill metadata does not declare these as required. Ensure ffmpeg and the OpenClaw CLI are installed from trusted sources and understand that the skill will attempt to execute them. - API key safety: Only provide DASHSCOPE_API_KEY if you trust the Dashscope endpoint and the key's permissions. Consider creating a limited-scope key, and be prepared to rotate/revoke it if needed. Verify the endpoint (dashscope.aliyuncs.com) is expected for your environment. - Data/privacy: Audio/text sent to the TTS API will leave your environment. If replies might include sensitive content, review privacy/retention policies of the TTS provider. - Mitigations: Ask the author to remove instructions that auto-edit USER.md and to rely on normal installation/permission flows; require a prompt/consent before any persistent changes; update SKILL.md to list required binaries (ffmpeg, openclaw) and to clearly describe what 'skill-create' does. If you still want to test it, run in a sandboxed agent instance with a limited API key and refuse or review any automatic writes to persistent agent files.

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.