Back to skill
Skillv1.0.1
ClawScan security
Mimimax Voice Clone +TTS · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 10:30 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested credentials are consistent with a MiniMax voice-clone + TTS utility; the only notable issues are small metadata omissions and the fact that the script will write back to this SKILL.md file (expected behavior).
- Guidance
- This skill appears to do exactly what it says: clone audio to MiniMax, create voices, synthesize speech, and update a mapping block in SKILL.md. Before installing/running: (1) ensure you set one of MINIMAX_API_KEY / MINIMAX_KEY / MINIMAX_GROUP_API_KEY (the registry metadata currently omits this requirement); (2) run the script from the skill directory (or confirm the SKILL.md path) to avoid unintended file writes; (3) inspect the included Python script if you want to be sure it accesses only the expected endpoints (it calls api.minimax.io); (4) only provide audio files and output paths you trust and avoid running with elevated privileges. If you want the registry listing fixed, ask the skill author to declare the required env var(s) in the registry metadata so it matches SKILL.md and the code.
Review Dimensions
- Purpose & Capability
- noteThe skill name, description, SKILL.md instructions, and included Python script all align: they upload audio to MiniMax, create cloned voices, perform TTS, and maintain a mapping block in SKILL.md. However, registry metadata shown earlier lists no required environment variables/primary credential while both SKILL.md and the script require one of MINIMAX_API_KEY / MINIMAX_KEY / MINIMAX_GROUP_API_KEY. This is an inconsistency in the manifest (likely an author oversight) but the credentials themselves are appropriate for the stated purpose.
- Instruction Scope
- okThe SKILL.md and the script restrict actions to: reading a user-provided audio file, calling MiniMax endpoints, writing TTS output to the provided path, and reading/writing this skill's SKILL.md mapping block. There are no instructions to read unrelated system files or exfiltrate arbitrary data. The write-back of mappings to SKILL.md is explicit and documented (so users should expect it).
- Install Mechanism
- noteThere is no registry install spec (instruction-only), and required dependency is only 'requests' per requirements.txt. That is low risk, but the presence of a runnable script plus a requirements.txt means users must install Python deps manually; there is no automated install step in the registry metadata. This is operationally inconvenient but not a security red flag.
- Credentials
- noteThe script only requires a MiniMax API key (one of MINIMAX_API_KEY / MINIMAX_KEY / MINIMAX_GROUP_API_KEY) for API access — this is proportionate to voice cloning/TTS. The earlier registry summary incorrectly omitted these required env vars, which should be corrected so users know they must supply credentials before running.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated platform privileges. It writes only to its own SKILL.md mapping block and to arbitrary output paths the user supplies (e.g., --output), which is expected for a TTS tool. Users should run it from the intended skill directory to avoid accidentally updating the wrong file.