小米tts文字转语音
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: xiaomi-tts Version: 1.0.0 The skill is a legitimate text-to-speech tool that interfaces with the Xiaomi MiMo API. The script `scripts/xiaomi-tts.js` handles audio synthesis by sending requests to api.xiaomimimo.com and supports API key retrieval from environment variables or a local configuration file (~/.openclaw/config.json). No malicious patterns, such as unauthorized data exfiltration, obfuscation, or harmful prompt injection, were detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may use your MiMo account/API quota to synthesize speech, including by automatically picking up a key stored in the OpenClaw config.
The script can use a MiMo API key from an argument, environment variable, or local OpenClaw config and sends it as the authorization credential for the stated TTS API.
if (process.env.MIMO_API_KEY) return process.env.MIMO_API_KEY; ... const configPath = join(homedir(), ".openclaw", "config.json"); ... Authorization: `Bearer ${apiKey}`Use a MiMo-specific key with appropriate limits, confirm it is intended for this service, and declare the required credential/config fallback in metadata.
Whatever text you ask it to speak is shared with the external TTS provider.
The text to be spoken and style are sent to the external MiMo API to obtain audio, which is necessary for this provider-backed TTS skill.
const API_URL = "https://api.xiaomimimo.com/v1/chat/completions"; ... { role: "assistant", content: buildContent(text, style) }Avoid sending sensitive or private text unless you trust the provider's handling of it.
Install-time expectations are less clear, so users may not realize a local Node runtime and API credential are needed until they inspect the instructions or code.
The registry metadata omits provenance and does not declare Node.js or the MiMo API key even though SKILL.md and the included script use them. Since the source code is included and no remote installer is shown, this is a disclosure/provenance note rather than evidence of malicious behavior.
Source: unknown; Homepage: none; Required binaries (all must exist): none; Required env vars: none; Primary credential: none
Declare Node.js and MIMO_API_KEY in the skill metadata, and add a source/homepage if available.