Voice For Openclaw Publish
Security checks across malware telemetry and agentic risk
Overview
This voice-generation skill is coherent and purpose-aligned, but it uses external MiniMax/Telegram services and credentials that users should configure carefully.
This skill appears safe for its stated purpose if you want MiniMax-based text-to-speech. Before installing, understand that text you synthesize is sent to MiniMax, Telegram delivery can post generated audio to the configured chat, and credentials should be kept in a private .env file with only the services you actually need enabled.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing the skill must trust it with the MiniMax API key, and Telegram credentials can allow posting voice messages to the configured chat.
The skill requires a MiniMax secret key and optionally uses Telegram bot credentials; these are expected for the stated TTS and message-sending purpose, but they are sensitive credentials.
MINIMAX_API_KEY=your-minimax-secret-key-here ... TELEGRAM_BOT_TOKEN=your-telegram-bot-token-here TELEGRAM_TARGET=your-telegram-chat-id-here
Store the .env file securely, use only the credentials needed, restrict or rotate bot/API keys where possible, and avoid configuring Telegram credentials unless you want automatic voice-message delivery.
Text submitted for speech generation is processed by MiniMax, and generated audio may also be sent to messaging services if those modes are used.
The script sends the text to be synthesized to MiniMax's external API. This is disclosed and central to the skill, but it means user-provided text leaves the local environment.
API_BASE = "https://api.minimaxi.com"
...
data = {
"model": model,
"text": text,
...
resp = requests.post(url, headers=headers, json=data, timeout=120)Do not synthesize confidential text unless you are comfortable sending it to MiniMax and, when enabled, to Telegram or Feishu.
A normal invocation can send a voice message to the configured Telegram chat, including groups if that chat ID is configured.
After generating audio, the default path posts it to Telegram if a target is available. This matches the skill's messaging purpose, but it is an external posting action rather than only local file generation.
TARGET="${TARGET:-$DEFAULT_TARGET}"
...
RESPONSE=$(curl -s -X POST "https://api.telegram.org/bot${BOT_TOKEN}/sendVoice" \
-F "chat_id=${TARGET}" \
-F "voice=@${AUDIO_FILE}")Confirm the Telegram target before use, prefer --generate-only when you only want a local audio file, and avoid configuring group/public chat targets unless intentional.
The runtime behavior depends partly on whatever requests version is installed or later installed in the environment.
The skill depends on the Python requests package without a pinned version. This is common and purpose-aligned for API access, but it leaves dependency resolution to the user's environment.
requires:
bins: [python3, ffmpeg]
env: [MINIMAX_API_KEY]
pip: [requests]Use a trusted Python environment and consider pinning or preinstalling a known-good requests version if reproducibility matters.