Back to skill
Skillv1.0.0
ClawScan security
TopMediai TTS · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 12:30 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required environment variables are coherent with a TopMediai TTS integration and do not request unrelated credentials or perform unexpected actions.
- Guidance
- This skill appears to be what it claims: a thin Python client that sends your text and speaker choices to TopMediai's API. Before installing: (1) Verify you trust the TopMediai service and that sending your text/audio data to that API is acceptable (the skill transmits the text to api.topmediai.com by default). (2) Provide a dedicated API key with minimal permissions if possible. (3) Inspect the included scripts yourself (they are small and readable) before placing your real key in .env. (4) Avoid enabling TOPMEDIAI_DEBUG in production — debug prints partial key metadata to stdout. (5) Ensure you install dependencies (requests, python-dotenv) in a controlled environment. If you want extra assurance, replace TOPMEDIAI_BASE_URL with a verified official endpoint or proxy that you control.
Review Dimensions
- Purpose & Capability
- okName/description match the actual behavior: it lists voices, checks API key entitlement, and posts text to TopMediai's /v1/text2speech. Required items (TOPMEDIAI_API_KEY and optional TOPMEDIAI_BASE_URL) are appropriate for this purpose.
- Instruction Scope
- okSKILL.md and plugin.json instruct the agent to run the included Python scripts, read an .env in the skill root for TOPMEDIAI_API_KEY, and call the documented TopMediai endpoints only. There are no instructions to read unrelated files, other credentials, or to exfiltrate data to unexpected endpoints.
- Install Mechanism
- okNo install spec; the package is delivered as code files with a minimal requirements.txt (requests, python-dotenv). There are no external downloads or archive extraction steps in the skill itself.
- Credentials
- okThe only required secret is TOPMEDIAI_API_KEY (plus an optional TOPMEDIAI_BASE_URL and debug flag). The code only accesses the skill's .env and standard environment variables; no unrelated credentials or system config paths are requested.
- Persistence & Privilege
- okalways is false and the skill does not modify other skills or global agent settings. It only reads a .env in its own directory and runs as a local process from the workspace.