ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TTS Media Route Fix

v1.0.0

Fix and verify OpenClaw TTS media-route behavior in installed dist builds. Use when users report that tts.convert returns unusable audio URLs, media TTS MP3...

0· 54·0 current·0 all-time
by@tralaleo-tralala
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included scripts and SKILL.md: find gateway-cli-*.js, back up, patch route behavior, restart gateway, and verify via authenticated curl. No unrelated env vars, binaries, or external services are requested.
Instruction Scope
SKILL.md confines actions to locating specific dist files, creating .bak backups, applying a minimal patch to the /media/tts/*.mp3 handler, restarting the gateway, and verifying with a Bearer-authenticated range curl. The included scripts only search expected install roots and perform a curl-based verification; they do not read or transmit unrelated system data. Note: the workflow requires manual edits to installed files and possession of permissions to modify/install and restart the gateway.
Install Mechanism
No install spec and only two small helper scripts are included. Nothing is downloaded from external URLs and no archives are extracted. This is the lowest-risk install pattern for an instruction-only skill.
Credentials
The skill declares no required environment variables or credentials. The verification script requires a bearer token passed as an argument (expected and proportional for verifying authenticated media routes). There is no storage or exfiltration of secrets in the repository.
Persistence & Privilege
The skill does instruct operators to modify installed gateway-cli-*.js files and to run 'openclaw gateway restart', which require filesystem and service-control privileges on the host. This is coherent with the patching purpose but operators should be aware these are privileged actions and can affect runtime availability.
Assessment
This skill appears to do what it says: locate hashed gateway-cli dist files, back them up, apply a minimal patch to the TTS media route, restart the gateway, and verify with an authenticated range request. Before using it: (1) review the exact patch you will apply to the gateway-cli-*.js files—do the edits locally and confirm they only implement the stated checks (filename validation, Bearer auth, proper Content-Type, Range support, TTL cleanup); (2) ensure you have backups and a rollback plan (the SKILL.md emphasizes .bak files); (3) run the workflow in a staging environment first to avoid production downtime; (4) supply bearer tokens only on the local command line and avoid pasting them to untrusted systems; and (5) verify you trust the skill source—manual edits to installed runtime files are powerful and should be done by an operator who can inspect the changes. If you want higher assurance, request an explicit patch diff or an automated patch script that you can review before applying.

Like a lobster shell, security has layers — review code before you run it.

latestvk97798fexp47j1p0xc5kf64kfd83bxy6openclawvk97798fexp47j1p0xc5kf64kfd83bxy6ttsvk97798fexp47j1p0xc5kf64kfd83bxy6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments