Truly Local Piper Multilang TTS (secure)
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned for local text-to-speech, with user-directed setup and voice downloads, but users should notice that it installs unpinned Python packages and stores generated audio/models locally.
This looks safe for its stated purpose. Before installing, be aware that first-time setup downloads unpinned Python packages from PyPI, voice downloads require internet access, and generated audio plus downloaded models are stored locally under the skill/OpenClaw workspace. Use it for text you are comfortable keeping as local audio files.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may download and run third-party Python package code needed for Piper TTS.
The setup step installs unpinned Python packages from PyPI into the skill's virtual environment. This is disclosed and purpose-aligned, but it introduces normal package supply-chain risk.
await execFileAsync(pipPath, ['install', '--quiet', 'piper-tts', 'pathvalidate'], { timeout: 300000 });Proceed only if you trust the package source; consider reviewing or pinning package versions in controlled environments.
The skill will execute local TTS tooling when asked to synthesize speech.
The skill runs a bundled shell wrapper to invoke Piper and generate audio. This local command execution is central to the stated TTS purpose and uses execFile rather than shell command construction.
await execFileAsync(PIPER_SCRIPT, [text, outputPath], { timeout: 30000, maxBuffer: 1024 * 1024, env })Keep this skill installed only if you are comfortable allowing it to run its bundled local TTS script and Python venv.
A saved speed preference will affect future TTS sessions automatically.
The skill can persist user speech-speed preferences in a local config file. The stored data is narrow and disclosed, but it is reused across later TTS calls.
const CONFIG_FILE = path.join(PIPER_DIR, 'config.json'); ... fs.writeFileSync(CONFIG_FILE, JSON.stringify(next, null, 2) + '\n', 'utf8');
Only save defaults you want reused; remove or edit the skill's config.json if you want to reset preferences.
Text you ask to synthesize may remain as an audio file in the workspace and could be sent if you ask the agent to share it.
Generated audio files are stored in the OpenClaw workspace and may then be attached or sent by the agent. This is expected for the TTS purpose, but users should remember generated files persist locally.
Writes audio files into the OpenClaw workspace for easy attachment and sending.
Avoid synthesizing sensitive text unless you are comfortable with the resulting audio file being stored locally; delete workspace TTS outputs when no longer needed.