Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mimimax Voice Clone +TTS
v1.0.1Voice cloning and TTS using MiniMax API. User must provide a voice name when cloning; after success, voice_name->voice_id is written back to this skill doc f...
⭐ 1· 272·0 current·0 all-time
byTan@socketnet
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill name, description, SKILL.md instructions, and included Python script all align: they upload audio to MiniMax, create cloned voices, perform TTS, and maintain a mapping block in SKILL.md. However, registry metadata shown earlier lists no required environment variables/primary credential while both SKILL.md and the script require one of MINIMAX_API_KEY / MINIMAX_KEY / MINIMAX_GROUP_API_KEY. This is an inconsistency in the manifest (likely an author oversight) but the credentials themselves are appropriate for the stated purpose.
Instruction Scope
The SKILL.md and the script restrict actions to: reading a user-provided audio file, calling MiniMax endpoints, writing TTS output to the provided path, and reading/writing this skill's SKILL.md mapping block. There are no instructions to read unrelated system files or exfiltrate arbitrary data. The write-back of mappings to SKILL.md is explicit and documented (so users should expect it).
Install Mechanism
There is no registry install spec (instruction-only), and required dependency is only 'requests' per requirements.txt. That is low risk, but the presence of a runnable script plus a requirements.txt means users must install Python deps manually; there is no automated install step in the registry metadata. This is operationally inconvenient but not a security red flag.
Credentials
The script only requires a MiniMax API key (one of MINIMAX_API_KEY / MINIMAX_KEY / MINIMAX_GROUP_API_KEY) for API access — this is proportionate to voice cloning/TTS. The earlier registry summary incorrectly omitted these required env vars, which should be corrected so users know they must supply credentials before running.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It writes only to its own SKILL.md mapping block and to arbitrary output paths the user supplies (e.g., --output), which is expected for a TTS tool. Users should run it from the intended skill directory to avoid accidentally updating the wrong file.
Assessment
This skill appears to do exactly what it says: clone audio to MiniMax, create voices, synthesize speech, and update a mapping block in SKILL.md. Before installing/running: (1) ensure you set one of MINIMAX_API_KEY / MINIMAX_KEY / MINIMAX_GROUP_API_KEY (the registry metadata currently omits this requirement); (2) run the script from the skill directory (or confirm the SKILL.md path) to avoid unintended file writes; (3) inspect the included Python script if you want to be sure it accesses only the expected endpoints (it calls api.minimax.io); (4) only provide audio files and output paths you trust and avoid running with elevated privileges. If you want the registry listing fixed, ask the skill author to declare the required env var(s) in the registry metadata so it matches SKILL.md and the code.Like a lobster shell, security has layers — review code before you run it.
latestvk97adk79nwvgbys45ar8n3dhjd82kysq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.