Beep - Xiao Laba
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a real voice-announcement skill, but it tries to make announcements mandatory and persistent across future agent sessions and may send announcement text to an external TTS provider.
Install only if you truly want always-on voice announcements. Before copying the integration snippets, back up AGENTS.md, MEMORY.md, IDENTITY.md, TOOLS.md, and USER.md, and decide whether sending short announcement text to edge_tts is acceptable. Avoid announcing secrets, review the Python dependencies, and keep a clear disable/removal plan.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may speak during every interaction and invoke the announcement tool across unrelated tasks.
The skill elevates itself from an optional audio helper into a mandatory rule for every agent interaction, forcing tool use even when the user did not ask for an announcement on that specific task.
**每次交互都必须语音播报!** 这是 OpenClaw Agent 的核心行为准则,必须严格遵守。
Use this only if always-on announcements are desired; otherwise change the instructions to require explicit user opt-in or a per-session setting.
The behavior can persist after the initial task and may be difficult to disable unless the user manually edits several workspace files.
The skill asks for its rules to be copied into persistent workspace, memory, identity, tools, and user-preference files, so future sessions may continue treating the announcement rule as authoritative.
需要在以下 OpenClaw 工作区文件中加入播报规则... AGENTS.md ... MEMORY.md ... IDENTITY.md ... TOOLS.md ... USER.md
Back up these files before integration, add a clear opt-out/uninstall procedure, and avoid placing mandatory skill rules in long-term memory unless the user explicitly wants that.
Short summaries of commands or replies could be sent to a TTS service rather than staying entirely local.
Announcement text is passed to edge_tts for speech generation. Because the skill requires announcements for user commands, progress, and reply summaries, these snippets may include sensitive task context and the provider boundary is not clearly explained.
cmd = [sys.executable, "-m", "edge_tts", "--text", text, "--voice", voice, "--write-media", output_file]
Disclose the TTS provider data flow clearly, provide a local-only TTS option if available, and avoid announcing secrets or sensitive user content.
Users could overestimate the privacy of announcements if they read 'local playback' as 'no external TTS data flow.'
This frames the feature as local background playback and not sending audio files to chat, but users may also need to know that speech generation uses edge_tts and may involve an external provider.
- **播报偏好:** 只在本地后台播放,不发送语音文件到聊天
Clarify that local playback is different from local speech synthesis, and state whether announcement text leaves the device.
Installation relies on external package resolution, which can change over time.
The Python dependencies are expected for a TTS/audio skill, but they are version ranges rather than pinned artifacts, and the registry entry has no install spec.
edge-tts>=7.2.8 pygame>=2.6.1
Install from trusted package sources, consider pinning versions, and review dependency provenance before enabling always-on behavior.