小米 MiMo TTS

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a straightforward text-to-speech skill, but it uses a Xiaomi MiMo API key and sends requested text to an external TTS provider.

This skill is reasonable to install if you trust the Xiaomi MiMo TTS provider and are comfortable sending the text you want spoken to that API. Before using it, configure a MiMo API key carefully, avoid putting sensitive text into TTS requests, and review the small Python script/dependency setup because the registry metadata does not fully declare its credential and provenance details.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

The skill needs access to a MiMo API key to call the provider, and an exposed or over-privileged key could be misused outside this skill.

Why it was flagged

The script uses a MiMo API key from environment, local OpenClaw config, or a CLI argument. This is expected for an API-backed TTS skill, but users should notice the credential use, especially because registry requirements list no primary credential or required env var.

Skill content

api_key = os.environ.get("MIMO_API_KEY") ... config_path = os.path.expanduser("~/.openclaw/config.json") ... parser.add_argument("--api-key", "-k"

Recommendation

Use a scoped MiMo API key if available, avoid placing secrets in shared command history, and verify the OpenClaw config entry before use.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Any text you ask it to synthesize may be processed by the third-party TTS provider.

Why it was flagged

The text selected for speech synthesis is sent to the external Xiaomi MiMo-compatible API endpoint and audio is returned. This is purpose-aligned, but it is still an external data flow.

Skill content

base_url="https://api.xiaomimimo.com/v1" ... {"role": "assistant", "content": full_text} ... audio={"format": "wav", "voice": voice}

Recommendation

Do not synthesize secrets or highly sensitive private content unless you trust the provider and its data-handling terms.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

It may be harder to verify who maintains the skill or how dependencies should be installed.

Why it was flagged

The artifact does not identify an upstream source or homepage and has no install spec, even though it includes a Python helper script. No malicious behavior is shown, but provenance is limited.

Skill content

Source: unknown; Homepage: none; Install specifications: No install spec

Recommendation

Review the included script before use and install dependencies only from trusted package sources.