Back to plugin

Security audit

Local CLI TTS

Security checks across malware telemetry and agentic risk

Overview

This plugin does what it claims: it lets OpenClaw run a user-configured local TTS command and convert the resulting audio.

This appears internally consistent with a local CLI TTS provider. The main thing to understand is that it runs whatever command you configure; only point it at a TTS tool you trust. If you configure a cloud-based TTS CLI or provide API keys in the plugin config, that external tool—not this plugin—may send text/audio to its service. Confidence is medium because the provided speech-provider.ts content was truncated, so reviewing the full source would provide stronger assurance.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
speech-provider.ts:268
Evidence
const proc = spawn(cmd, args, { cwd: params.cwd, env, stdio: ["pipe", "pipe", "pipe"] });