Back to skill
Skillv1.10.0
VirusTotal security
Voice (Edge TTS) · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:26 AM
- Hash
- 8bd49603cd2c1af09fc986a242ff04a8e8a69df291cfd45e6047b5c35b5f1e79
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: voice-edge-tts Version: 1.10.0 The `index.js` file contains a shell injection vulnerability in the `textToSpeech` function, which is used by the 'tts' and 'speak' actions. Parameters like `voice`, `rate`, `volume`, and `pitch` are concatenated directly into a command string executed via `util.promisify(exec)` without sufficient sanitization or validation, despite the `SKILL.md` and `CHANGELOG.md` explicitly claiming 'enterprise-grade security' and 'full command injection protection'. This allows for potential arbitrary command execution if an attacker can control these input options. While the 'stream' action is implemented securely using `spawn` with array arguments and input validation, the inconsistency and critical flaw in other core functionalities make this skill suspicious due to the severe vulnerability.
- External report
- View on VirusTotal