Voice Reply
ReviewAudited by ClawScan on May 10, 2026.
Overview
Voice Reply appears to be a coherent offline text-to-speech skill, but its manual installer uses sudo to download and run third-party TTS components, and the referenced main command is not included in the reviewed files.
This looks like a normal offline TTS skill, but treat the installer like any sudo system installer: verify the source and downloaded releases, run it only on a trusted machine, and confirm the missing `bin/voice-reply` executable is present and reviewable before relying on the skill.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user must trust the downloaded GitHub release artifacts and the installer before allowing system-level installation.
The installer downloads and extracts third-party runtime/model archives during setup. This is expected for a local TTS skill, but the artifact does not show checksum or signature verification.
curl -L -o sherpa.tar.bz2 "https://github.com/k2-fsa/sherpa-onnx/releases/download/${SHERPA_VERSION}/sherpa-onnx-${SHERPA_VERSION}-linux-x64-shared.tar.bz2"
...
tar -xjf sherpa.tar.bz2 --strip-components=1Verify the upstream release URLs and, where possible, compare checksums or signatures before running the installer.
If the installer or downloaded runtime were compromised, it could affect the local system with elevated privileges.
The setup script is intended to run with root privileges and then executes the installed sherpa-onnx TTS binary as a test. That is purpose-aligned, but it means downloaded executable code may run during installation.
echo -e "${RED}Error: Please run as root (sudo ./install.sh)${NC}"
...
TEST_OUTPUT=$("$SHERPA_DIR/bin/sherpa-onnx-offline-tts" ... "Test" 2>&1 || true)Run the installer only in an environment you control and trust; consider reviewing the script and downloaded artifacts or using a container/non-production machine.
The skill may not run as documented, or it may depend on an additional executable that was not part of this review.
The reviewed manifest does not include the `{baseDir}/bin/voice-reply` command referenced by SKILL.md, so the main runtime wrapper's behavior cannot be verified from the supplied artifacts.
3 file(s): README.md (1960 bytes), SKILL.md (4484 bytes), scripts/install.sh (4007 bytes)
Before use, confirm that `bin/voice-reply` exists in the installed skill package and review its contents.