ClawHub

MiniMax TTS 国内版

v1.0.0

调用MiniMax语音合成API,支持中文多音色、高质量文本转语音,提供流式和非流式音频输出。

1· 1.3k·13 current·13 all-time
by@whille
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (MiniMax TTS) align with the code and SKILL.md: it calls a remote TTS API, accepts text and voice/model parameters, lists voices, and writes audio output. However, registry metadata claims no required env vars or primary credential while SKILL.md and the script clearly require MINIMAX_API_KEY—this metadata inconsistency is unexpected and reduces trust.
Instruction Scope
The runtime instructions and the included script stay within the stated purpose: they call TTS endpoints, list voices, decode audio and write an output file. The script does not read arbitrary user files, other environment variables, or post data to unknown endpoints beyond the declared API_BASE. It does print and write the generated audio file to disk (expected behavior for a CLI TTS tool).
Install Mechanism
There is no install spec (instruction-only plus an included Python script). That is low-risk compared to remote downloads. The SKILL.md asks for python3 and the requests package; the script imports requests. No archives or external installers are used.
Credentials
The script and SKILL.md require a single API credential (MINIMAX_API_KEY), which is proportionate for a third-party TTS API. However, the registry metadata claims no required env variables or primary credential—this mismatch is suspicious. No other secret env vars are requested or accessed by the script.
Persistence & Privilege
The skill does not request persistent or elevated privileges: always is false, it does not modify other skills or system-wide settings, and it only writes output audio files in the current working directory (or specified path).
What to consider before installing
This skill mostly behaves like a normal TTS client, but review the following before installing or using it: - Verify the API endpoint: the SKILL.md homepage references platform.minimax.io, but the script calls https://api.minimaxi.com (note the extra 'i' in minimaxi). That could be a harmless typo or point to an unintended/malicious host; confirm the correct API domain with the vendor/documentation before providing an API key. - Metadata mismatch: the registry entry claims no required env vars, while SKILL.md and the script require MINIMAX_API_KEY. Prefer skills whose published metadata matches their runtime requirements. - Limit exposure: only supply an API key that you control and can revoke; do not reuse broad-scoped or production credentials. Consider creating a limited/test account on the provider for initial use. - Code review: the script decodes hex audio and writes a local file (expected). It imports subprocess but does not use it—likely harmless but worth noting. If you have doubts, run the script in an isolated environment (container/VM) and inspect network traffic to confirm it talks only to the intended API host. - If you cannot confirm the correct API host or the publisher identity, do not provide credentials or use this skill in sensitive environments.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bvasj7fqrjyrgetxd8x90ws81zbqz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments