Skillv1.10.0

ClawScan security

Voice (Edge TTS) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 23, 2026, 5:25 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill generally matches its stated TTS purpose, but the implementation and docs conflict on security (use of shell exec, inconsistent input validation, hardcoded paths, runtime package installs), creating a real risk of command injection or unexpected behavior.
Guidance: This skill appears to be a legitimate Edge TTS tool but the implementation contradicts its security claims. Before installing or enabling it: 1) Do not run it in a sensitive environment until code is audited. 2) Fix the command-execution issues: replace execAsync(string) with spawn/execFile and consistently apply the voice whitelist for all actions. 3) Sanitize and/or restrict inputs used in any command or PowerShell -c invocation (the 'play' action accepts an arbitrary filePath). 4) Remove or correct the hardcoded ffplay path in stream_speak.py and ensure ffmpeg/ffplay usage is documented and optional. 5) Prefer pre-installing Python deps (pip install edge-tts) in a controlled environment rather than allowing runtime pip installs, and verify the source of any npm/pip packages (the package-lock references a non-default mirror). If you are not comfortable reviewing or changing code, avoid installing this skill or run it in an isolated sandbox.
Findings: [use_of_exec_with_concatenated_command] unexpected: index.js uses execAsync() with a command string built by joining arguments (edge-tts --text "..." ...). SKILL.md claims command injection protection and use of spawn instead — this is a direct contradiction and increases injection risk. [unvalidated_user_input_in_cmd] unexpected: The textToSpeech path accepts user text and voice and inserts them into a shell command string without applying the documented voice whitelist (whitelist is only used for 'stream'). User-controlled text/voice could affect the constructed command. [powershell_command_execution_with_interpolated_string] unexpected: playAudio uses spawn('powershell', ['-c', `(New-Object Media.SoundPlayer "${filePath}").PlaySync();`]) — passing an interpolated string to PowerShell -c can be dangerous if filePath is attacker-controlled (the 'play' action accepts a filePath parameter). [hardcoded_ffmpeg_path_in_python_script] unexpected: stream_speak.py hardcodes FFMPEG_PATH to 'E:\tools\ffmpeg\bin\ffplay'. Hardcoded absolute paths reduce portability and may mask behavior on systems without that path; it's not necessary for legitimate cross-platform skill behavior. [runtime_package_install_via_pip] expected: The skill runs 'pip3 install edge-tts' when installDependencies is invoked; network fetch of the edge-tts Python package is expected for this skill but it increases runtime risk and should be done deliberately in a controlled environment.

Review Dimensions

Purpose & Capability: noteThe skill's files and docs align with a Microsoft Edge TTS streaming tool (requires edge-tts and ffmpeg). However, package.json/lock also list an npm 'edge-tts' dependency while the implementation calls the Python CLI (pip edge-tts). This mismatch is odd but plausibly a packaging oversight rather than malicious.
Instruction Scope: concernSKILL.md repeatedly asserts 'no shell execution' and a strict voice whitelist, but the code contradicts this: index.js builds and runs a concatenated command string via execAsync for general TTS and for installation, and does not apply the voice whitelist for the 'tts' action (whitelist only enforced for 'stream'). The 'play' action calls PowerShell -c with an interpolated file path string, which can be abused if a user-controlled filePath is provided. These inconsistencies increase the chance of command injection or unexpected execution.
Install Mechanism: noteThere is no platform install spec, but the skill contains an installDependencies method that runs 'pip3 install edge-tts' at runtime (network fetch). package-lock.json shows an npm package resolved from a non-default mirror. Runtime installation and mixed packaging (Python CLI expected + npm dependency present) are moderate risk and should be reviewed.
Credentials: okThe skill requests no environment variables or credentials, which is proportional to a local TTS/playback tool. There are no declared secrets, though runtime pip/network access will occur if install is invoked.
Persistence & Privilege: okThe skill is not 'always: true' and does not request elevated platform persistence. It does create and clean a local temp directory under a relative path, which is expected behavior for temporary audio files.