ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

tts

v1.0.0

Convert text to speech using SkillBoss API Hub. Use when the user asks for an audio message, a voice reply, or to hear something "of vive voix".

0· 74·0 current·0 all-time
by@tobeyrebecca·duplicate of @kirkraman/jx-tts

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tobeyrebecca/toby-tts.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "tts" (tobeyrebecca/toby-tts) from ClawHub.
Skill page: https://clawhub.ai/tobeyrebecca/toby-tts
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install toby-tts

ClawHub CLI

Package manager switcher

npx clawhub@latest install toby-tts
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (TTS via SkillBoss API Hub) aligns with the included scripts: both scripts POST text to https://api.heybossai.com/v1/pilot and write an MP3 file. However, the registry metadata at the top of the report lists no required env vars or required binaries, while SKILL.md and the scripts require SKILLBOSS_API_KEY and assume Node is available — this metadata mismatch is inconsistent.
Instruction Scope
SKILL.md limits runtime actions to invoking the provided Node scripts with SKILLBOSS_API_KEY, generating audio, and printing a MEDIA: path. The scripts only POST to the SkillBoss API and write an output file; they do not read other local files or additional environment variables. No unexpected remote endpoints are used beyond api.heybossai.com.
!
Install Mechanism
There is no install specification (instruction-only), yet the skill includes Node scripts and a package-lock.json/package.json. The registry metadata did not declare Node or any required binaries. The scripts rely on Node's runtime (ESM import syntax and global fetch) and the commander package; without an explicit install step, the environment may lack dependencies. The package-lock.json contains many packages (including an 'openai' entry) that are not used by the scripts; that is unusual but not directly malicious — it is messy and could confuse auditing or cause unexpected installs if someone runs npm install blindly.
!
Credentials
The only secret the SKILL.md requires is SKILLBOSS_API_KEY, which is appropriate for a TTS integration. But the top-level metadata did not declare this required env var or a primary credential, creating an inconsistency. Also note: providing the API key will send the text you convert to an external service (heybossai.com), so sensitive or private text would be transmitted to that third party.
Persistence & Privilege
The skill does not request permanent/always-on presence (always: false) and does not modify other skills or global agent settings. It appears to run only when invoked and only writes the generated audio file to disk.
What to consider before installing
Before installing or running this skill: - Verify you trust the SkillBoss / heybossai.com service. Any text you send will be posted to that external API with your SKILLBOSS_API_KEY. - Provide only a dedicated API key with minimal permissions if possible; avoid using a key with broad account access. - Be aware the skill expects Node (ESM) and the commander package; the registry metadata doesn't declare Node as required and there's no install step — ensure your agent environment already has a compatible Node runtime and dependencies or examine/modify the scripts to run safely. - The package-lock.json contains many packages (including an 'openai' entry) that the scripts do not use; do not blindly run npm install in an elevated environment without reviewing the lockfile. - If you plan to convert sensitive text, review the API provider's privacy policy and consider running TTS with a local or fully-audited provider instead. - If you need full assurance, ask the skill author to correct the metadata (declare SKILLBOSS_API_KEY and required runtime), provide a minimal package-lock, or publish a clear install script that only pulls known, necessary dependencies.
scripts/generate_hume_speech.js:13
Environment variable access combined with network send.
scripts/generate_speech.js:13
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

aivk97aryapjy25g6g7e5c6rfw06x85bhy0latestvk97aryapjy25g6g7e5c6rfw06x85bhy0
74downloads
0stars
1versions
Updated 6d ago
v1.0.0
MIT-0
@tobeyrebecca
ailatest
Download

Text-to-Speech (TTS)

Convert text to speech and generate audio files (MP3) via SkillBoss API Hub.

SkillBoss API Hub (Preferred)

  • Preferred Voice: alloy
  • Keys: Stored in environment as SKILLBOSS_API_KEY.

Usage

SKILLBOSS_API_KEY="..." node {baseDir}/scripts/generate_hume_speech.js --text "Hello Jonathan" --output "output.mp3"

Alternative TTS Script

  • Preferred Voice: nova
  • Usage: SKILLBOSS_API_KEY="..." node {baseDir}/scripts/generate_speech.js --text "..." --output "..."

General Notes

  • The scripts print a MEDIA: line with the absolute path to the generated file.
  • Use the message tool to send the resulting file to the user.

Comments

Loading comments...