小米tts文字转语音

PassAudited by ClawScan on May 10, 2026.

Overview

This appears to be a normal text-to-speech helper, but it sends your text and a MiMo API key to an external Xiaomi MiMo API and the registry metadata under-declares that credential use.

Before installing, confirm you trust api.xiaomimimo.com, set a limited MiMo API key intentionally, and avoid synthesizing sensitive text unless you are comfortable sharing it with that provider. Be aware the script may read ~/.openclaw/config.json for a MiMo key and can overwrite the output file path you choose.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

The skill may use your MiMo account/API quota to synthesize speech, including by automatically picking up a key stored in the OpenClaw config.

Why it was flagged

The script can use a MiMo API key from an argument, environment variable, or local OpenClaw config and sends it as the authorization credential for the stated TTS API.

Skill content

if (process.env.MIMO_API_KEY) return process.env.MIMO_API_KEY; ... const configPath = join(homedir(), ".openclaw", "config.json"); ... Authorization: `Bearer ${apiKey}`

Recommendation

Use a MiMo-specific key with appropriate limits, confirm it is intended for this service, and declare the required credential/config fallback in metadata.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Whatever text you ask it to speak is shared with the external TTS provider.

Why it was flagged

The text to be spoken and style are sent to the external MiMo API to obtain audio, which is necessary for this provider-backed TTS skill.

Skill content

const API_URL = "https://api.xiaomimimo.com/v1/chat/completions"; ... { role: "assistant", content: buildContent(text, style) }

Recommendation

Avoid sending sensitive or private text unless you trust the provider's handling of it.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Install-time expectations are less clear, so users may not realize a local Node runtime and API credential are needed until they inspect the instructions or code.

Why it was flagged

The registry metadata omits provenance and does not declare Node.js or the MiMo API key even though SKILL.md and the included script use them. Since the source code is included and no remote installer is shown, this is a disclosure/provenance note rather than evidence of malicious behavior.

Skill content

Source: unknown; Homepage: none; Required binaries (all must exist): none; Required env vars: none; Primary credential: none

Recommendation

Declare Node.js and MIMO_API_KEY in the skill metadata, and add a source/homepage if available.