Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Minimax Tts Cn
v1.2.3MiniMax TTS skill (enhanced). Multi-agent voice support (each agent can select a unique voice written in SOUL.md), native voice message for Telegram (MP3) an...
⭐ 0· 63·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name and description (MiniMax TTS with Telegram/Feishu delivery) match the included scripts: python code calls the MiniMax TTS API and the shell wrapper handles generation, optional ffmpeg transcode and Telegram delivery. One mismatch: the registry-level "Required env vars" lists TELEGRAM_BOT_TOKEN and TELEGRAM_TARGET as required, whereas SKILL.md and the scripts treat those as optional (only needed for sending). This is likely a metadata error rather than functional misalignment.
Instruction Scope
Instructions and scripts only read credentials from .env or environment variables, write audio files under the OpenClaw workspace (~/.openclaw/workspace/generated/*), call the MiniMax API (api.minimaxi.com), optionally call Telegram's Bot API, and use ffmpeg for conversion. The scripts do not attempt to read unrelated system files or send arbitrary data to unknown endpoints.
Install Mechanism
No install spec is provided (instruction-only plus included scripts). Required binaries are standard (python3, ffmpeg). No downloads from third-party URLs or archive extraction occur during install.
Credentials
The primary credential (MINIMAX_API_KEY) is appropriate. Telegram credentials are relevant only if you want the skill to send messages; SKILL.md marks them optional, but registry metadata lists them as required — this inconsistency should be corrected. The scripts load and export .env entries, so any secrets placed in the .env will be exported into the script environment (expected behavior but worth noting).
Persistence & Privilege
The skill does not request permanent system-wide presence (always:false) and does not modify other skills or agent configuration. It only writes generated audio files under the OpenClaw workspace and reads a local .env for configuration.
Assessment
This skill appears to do what it claims: call MiniMax's API to produce audio and optionally send it to Telegram or prepare Feishu-compatible files. Before installing, consider the following:
- MINIMAX_API_KEY is required and will be used to authenticate to https://api.minimaxi.com — only provide a key you trust to be used for TTS. Do not reuse high-privilege keys elsewhere.
- Telegram credentials (TELEGRAM_BOT_TOKEN, TELEGRAM_TARGET) are only needed if you want the skill to send messages. If you do not want automatic sending, leave them unset; the skill supports a --generate-only mode.
- The registry metadata marks Telegram vars as required although the SKILL.md and scripts treat them as optional — treat the SKILL.md behavior as authoritative and verify before supplying Telegram tokens.
- The scripts load a .env file and export its entries into the environment. Keep .env private and out of version control (setup.txt already warns about this).
- The python script and shell wrapper use workspace paths (~/.openclaw/workspace). Check those directories for generated files and remove audio files if you do not want them retained.
If you need higher assurance, you can inspect/verify the two included files (scripts/tts.py and scripts/tts-xiaoye.sh) locally before supplying secrets. If you do not intend to send to Telegram/Feishu, omit the related env vars to reduce blast radius.Like a lobster shell, security has layers — review code before you run it.
latestvk97bmwa54t3xscnbfp92v0jve983mmye
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎙️ Clawdis
Binspython3, ffmpeg
EnvMINIMAX_API_KEY, TELEGRAM_BOT_TOKEN, TELEGRAM_TARGET
Primary envMINIMAX_API_KEY