ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SOTA Zero-shot Voice Cloning TTS

v1.0.0

Voice-first OpenClaw skill powered by MOSS APIs. Use when a user wants spoken replies in a preferred timbre, either from an existing voice_id or from a refer...

1· 353·0 current·0 all-time
byQinyuan Cheng@xiami2019
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be a 'MOSS' TTS integration but the SKILL.md uses 'MOSI' names (MOSI_API_KEY, MOSI_BASE_URL) and a default host https://studio.mosi.cn; registry metadata lists no required env vars or homepage/source. Asking for an API key and the ability to upload local audio is coherent with a TTS/cloning skill, but the mismatch between the declared registry metadata and the runtime requirements (missing required env var in metadata, no homepage/source) is an incoherence that needs explanation.
Instruction Scope
Instructions are specific: accept text and a voice source, upload local audio via POST /api/v1/files/upload, call voice clone and TTS endpoints, poll for status, decode base64 audio, and return a file path and metadata. These actions are consistent with voice-cloning TTS functionality but include transmitting local audio files to an external service — users should be aware of privacy implications. The SKILL.md does instruct to not log API keys, which is good.
Install Mechanism
No install spec and no code files (instruction-only) — lowest installation risk. Nothing is written to disk by an installer here; runtime network calls and file uploads are the main runtime surface.
!
Credentials
The SKILL.md requires MOSI_API_KEY (and optionally MOSI_BASE_URL), which is proportionate for an external TTS API. However, the registry metadata claims no required env vars — that discrepancy is a red flag. Also there is no documented owner homepage or source to verify what MOSI_API_KEY grants or what data is retained by the service.
Persistence & Privilege
The skill is not always-enabled and uses normal autonomous invocation defaults. It does not request any system-level persistence or modify other skill configurations (based on SKILL.md).
What to consider before installing
Before installing, confirm the provider and provenance: ask the publisher to (1) update registry metadata to list the required MOSI_API_KEY and MOSI_BASE_URL, (2) provide a homepage or source repo so you can verify the service and privacy policy, and (3) clarify whether 'MOSS' vs 'MOSI' is a typo or different provider. Treat the MOSI_API_KEY like any secret — only grant a key scoped to minimal permissions and avoid reusing high-privilege keys. Understand that using local audio will upload user files to the external service (privacy risk); if that is unacceptable, do not enable local-file uploads. If you proceed, consider restricting the skill's network access or using an API key with limited quota/expiration, and verify logs to ensure keys are never echoed.

Like a lobster shell, security has layers — review code before you run it.

Speechvk976tye4mgz9zvkkcr0nd6q3fx8257rhTTSvk976tye4mgz9zvkkcr0nd6q3fx8257rhVoice Clonevk976tye4mgz9zvkkcr0nd6q3fx8257rhlatestvk976tye4mgz9zvkkcr0nd6q3fx8257rh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments