Skillv1.0.0

ClawScan security

Qwen3 TTS Instruct · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:32 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches a TTS integration but has inconsistencies (registry metadata omits a required API key), contains instructions that push the agent to always route voice output through it, and the shipped script uses subprocess/networking so you should audit the code before trusting keys.
Guidance: This skill appears to be a genuine TTS client, but there are a few red flags you should consider before installing: - Manifest mismatch: the platform metadata claims no required env vars, but SKILL.md and setup.sh require DASHSCOPE_API_KEY. Treat that as a sign to be cautious — the skill will need a secret. - Audit the code (scripts/tts.py) before exporting any API key. Look specifically for any subprocess.run or os.system calls that use unescaped user input (command-injection risk) and verify all network endpoints are only DashScope/Aliyun hosts. - Limit the API key's permissions and rotate it after testing; do not reuse high-privilege or long-lived credentials. - Note the instruction to ‘always call’ this skill: installing it may change agent behavior if you allow autonomous invocation. If you do not want every voice response routed through an external service, keep autonomous invocation disabled or decline to follow the 'always call' guideline. If you want a higher-confidence verdict provide the full, untruncated scripts/tts.py content (so we can inspect any subprocess calls and all network endpoints) and confirm whether the registry metadata can be corrected to declare DASHSCOPE_API_KEY explicitly.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (Alibaba Bailian Qwen TTS) aligns with the code and setup (dashscope SDK, websocket TTS). However the registry metadata provided to the platform says there are no required environment variables or primary credential, while the SKILL.md and setup script clearly declare and require DASHSCOPE_API_KEY (and a python3 binary). This inconsistency is unexpected and reduces trust in the manifest.
Instruction Scope: noteSKILL.md contains normal usage and install instructions for a TTS client, but it also contains behavioral directives for the agent: a 'SYSTEM MEMORY UPDATE' and a rule that 'Every voice response MUST call this skill.' That is scope-expanding (forces routing of all voice outputs through the skill) and changes agent behavior beyond a single invoked action. The instructions otherwise only reference the TTS service and local env vars; there are no obvious directions to read unrelated system files, but the file advises internal translation and reformatting which affects conversational flow.
Install Mechanism: okThere is no remote binary download; installation is via the included setup.sh which creates a venv and pip-installs dashscope, websocket-client, and soundfile. This is proportionate to a Python TTS client and uses known Python packages. No external arbitrary archive downloads or URL shorteners are used.
Credentials: concernThe number of environment variables used by the code is small and relevant (DASHSCOPE_API_KEY required; optional DASHSCOPE_URL, BAILIAN_VOICE, BAILIAN_MP3). However the platform/registry metadata omits the DASHSCOPE_API_KEY requirement while SKILL.md marks it as required and as the primary credential. That mismatch is suspicious: the skill will need an API key (a secret) but the registry entry does not advertise it. Also the code will open network connections to DashScope endpoints — ensure the API key you provide is scoped appropriately.
Persistence & Privilege: okThe skill is not marked always:true, does not request system-wide config changes, and the install only creates a local venv under the skill directory. It does not request permanent elevated presence in the registry metadata. Autonomous invocation is enabled (default) which is expected for skills.