v1.0.1

vociemaster

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:23 AM.

Analysis

VoiceMaster appears coherent for generating AI voiceovers, with expected API-key, external SenseAudio API, and local audio-tool use that users should understand before installing.

GuidanceInstall only if you are comfortable using your SenseAudio API key and sending voiceover text to SenseAudio. Keep the key in an environment variable, review the output path before generation, and be aware that provenance metadata is limited because no source or homepage is provided.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

requires:
  bins:
    - curl
    - jq
    - ffmpeg
...
全部片段生成完成后，优先使用 `helper.py concat` 合并为一个 `mp3`。

The skill relies on local command-line tools and a helper to call the API and merge audio segments; this is central to the stated voiceover workflow.

User impactThe skill may run local media-processing commands and create or overwrite the chosen audio output file.

RecommendationChoose output paths carefully, avoid overwriting important files, and keep ffmpeg and related tools updated.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceMediumStatusNote

metadata

Source: unknown
Homepage: none

The skill does not provide a public source or homepage, so independent provenance is limited even though the included artifacts are coherent.

User impactIt may be harder to verify the publisher, review history, or obtain updates outside the registry.

RecommendationReview the included SKILL.md and helper.py before use, and prefer trusted publishers or a public source link for production workflows.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

先检查环境变量 `SENSEAUDIO_API_KEY`。如果已经存在，直接使用；如果不存在，再提示用户提供 API Key 或先在终端设置环境变量。不要把密钥写进 `SKILL.md`、脚本源码或提交记录。

The skill requires a SenseAudio API key and uses it for the intended TTS provider; it also tells the user not to store the key in files or source.

User impactGenerating audio can use the user's SenseAudio account, quota, or billing plan.

RecommendationUse an environment variable, prefer a limited or revocable API key if available, and monitor/revoke the key if it is exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

curl -sS "https://api.senseaudio.cn/v1/t2a_v2" \
  -H "Authorization: Bearer $SENSEAUDIO_API_KEY" \
  -H "Content-Type: application/json" \
  --data-binary @-

The request sends the script text and API authorization to the SenseAudio endpoint, which is expected for cloud TTS but is still an external data flow.

User impactVoiceover text may leave the local environment and be processed by SenseAudio.

RecommendationAvoid submitting confidential scripts unless you are comfortable with SenseAudio handling them, and review the provider's privacy and retention terms.