ecommerce-voice-cs
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill largely matches its TTS customer-service purpose, but it appears to persist API-key/session data on disk and even ships session-state files, so it should be reviewed before use.
Install only if you are comfortable sending generated customer-service or sales text to SenseAudio and saving audio locally. Before use, remove bundled .session_state files, avoid entering API keys directly unless storage is fixed, prefer environment/secret-store credentials, and choose a safe audio output directory.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A SenseAudio API key entered into the skill may remain in plaintext local files, where it could be exposed through backups, sharing, logs, or other local access.
The per-session state schema includes api_key fields and the helper writes the full state to JSON files under .session_state. This means user-provided SenseAudio credentials can be retained on disk rather than only used transiently.
STATE_DIR = SKILL_ROOT / ".session_state"
STATE_DIR.mkdir(exist_ok=True)
...
AFTER_SALES_DEFAULTS = {
"api_key": "",
...
SALES_DEFAULTS = {
"api_key": "",
...
def _save_state(session_id: str, state: dict[str, Any]) -> None:
_state_file(session_id).write_text(json.dumps(state, ensure_ascii=False, indent=2), encoding="utf-8")Do not store API keys in session JSON. Use the host secret store or environment variable only, redact existing .session_state files, and declare the credential requirement in metadata.
Preexisting state files could expose previous/test configuration or cause unexpected behavior for matching session IDs, and they normalize retaining sensitive session data.
The packaged artifact includes runtime session-state files, including an active sales state and an api_key field. Bundling persistent runtime state is not needed for the stated TTS purpose and can carry residual configuration into future runs.
"mode": "sales",
"stage": "active",
...
"sales": {
"api_key": "k",
"voice_id": "male_0018_a",
"audio_output_path": "D:/tmp",
"product_name": "???????"Remove .session_state files from the distributed skill, create state only at runtime in a host-approved cache location, and provide a cleanup/reset path that redacts secrets.
Customer-service messages, sales copy, and generated replies may be sent to SenseAudio and saved as local audio files.
The skill sends generated text to the SenseAudio TTS API with the API key and writes the returned audio bytes to disk. This is expected for the TTS purpose, but it is an external data flow plus local file output.
return requests.post(
self.TTS_API_URL,
json=payload,
headers={
"Authorization": f"Bearer {self.api_key}",
"Content-Type": "application/json",
},
timeout=60,
)
...
output_file.write_bytes(audio_bytes)Use only non-sensitive content unless the provider and your organization permit it, and choose an output directory where retained audio files are appropriate.
Users may have less assurance about where the skill came from or which Python dependencies/runtime environment are expected.
The artifact has limited provenance information and no dependency/install declaration, even though code files are present. This does not show malicious behavior, but it reduces reviewability and reproducibility.
Source: unknown Homepage: none ... Install specifications No install spec — this is an instruction-only skill.
Publish a source repository/homepage and add explicit dependency metadata or an install specification.