ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

小米tts文字转语音

v1.0.0

把文字转成语音。可以发语音、念给我听、唱歌、用方言或夹子音说话,支持各种情绪和风格。

0· 36·0 current·0 all-time
by@zhangalexhy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's functionality (TTS via a remote MiMo API) matches its name/description and the script calls a plausible TTS endpoint (https://api.xiaomimimo.com/v1/chat/completions). However, the registry metadata lists no required environment variables or primary credential while both SKILL.md and the script require a MIMO_API_KEY — this mismatch is an incoherence.
!
Instruction Scope
SKILL.md instructs supplying MIMO_API_KEY (env or --api-key) and to return base64 WAV audio — consistent with TTS. The shipped script additionally attempts to read ~/.openclaw/config.json as a fallback to obtain the API key; reading a home-directory config file is outside the simple CLI usage described and should have been declared.
Install Mechanism
No install spec; the skill is instruction-only plus a small Node script. Nothing is downloaded at install time and no extra packages are forced onto the system by the skill metadata.
!
Credentials
The script requires a single API key (MIMO_API_KEY), which is proportional for a remote TTS service. But the registry metadata fails to declare this required credential. Additionally, the script attempts to read ~/.openclaw/config.json for mimo_api_key or MIMO_API_KEY — accessing a user config file is a broader access pattern that should be declared and justified.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system-wide settings. It runs as a simple CLI script and has no elevated persistence requirements.
What to consider before installing
Before installing or running this skill, note that it needs an API key (MIMO_API_KEY) even though the registry metadata doesn't declare it. The included script will also try to read ~/.openclaw/config.json for that key — check what that file contains and whether you are comfortable the skill reading it. Verify that https://api.xiaomimimo.com is the intended/official service for this skill and that your API key is scoped/limited appropriately. If you are unsure, request the publisher to (1) update the skill metadata to declare MIMO_API_KEY, (2) document why the script reads ~/.openclaw/config.json, and (3) provide provenance for the API endpoint. If you must test it, do so in an isolated environment and avoid using high-privilege or broadly-scoped keys.
scripts/xiaomi-tts.js:18
Environment variable access combined with network send.
!
scripts/xiaomi-tts.js:7
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e9qx3vr0hqjr0b8q5z8zx05844bft

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments