TopMediai TTS
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is a coherent TopMediai text-to-speech integration, but users should notice that it requires a TopMediai API key, sends submitted text to the TopMediai API, and uses unpinned Python dependencies.
This appears safe to install if you intend to use TopMediai TTS. Before using it, store the API key carefully, understand that generated text is sent to TopMediai and may consume account quota, and consider installing the Python dependencies in an isolated environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act against the user's TopMediai account and may use account entitlements or credits when generating speech.
The skill reads a TopMediai API key from the environment/.env and sends it as the x-api-key header. This is expected for the stated API integration, but it is still an account credential users should protect.
DEFAULT_KEY = os.environ.get("TOPMEDIAI_API_KEY") ... return {"x-api-key": key, "Content-Type": "application/json"}Use a dedicated TopMediai API key with the minimum needed access if available, keep the .env file private, and rotate the key if it may have been exposed.
Text submitted for synthesis is transmitted to TopMediai and may be processed under that service's policies.
The TTS command sends user-provided text and voice parameters to the external TopMediai text-to-speech endpoint. This is core to the skill purpose, but users should avoid sending sensitive text unless they trust the provider.
payload: Dict[str, Any] = {"text": text, "speaker": speaker} ... requests.post(url, json=payload, headers=headers, timeout=120)Do not synthesize confidential, regulated, or private text unless TopMediai's data handling terms are acceptable for that content.
Dependency versions may vary between installations, which can affect reproducibility and supply-chain assurance.
The skill depends on external Python packages with lower-bound version constraints rather than exact pinned versions. These are common dependencies and this is not suspicious by itself, but it leaves installed versions to the user's environment.
requests>=2.31.0 python-dotenv>=1.0.1
Install in an isolated environment and consider pinning exact package versions if reproducible or high-assurance deployment is needed.