Lux Tts
Security checks across malware telemetry and agentic risk
Overview
This looks like a local TTS skill, but it recommends running missing administrator-level installer scripts and the included implementation appears to be a simulated TTS rather than the advertised full voice-cloning model.
Review carefully before installing. Do not run the referenced install.bat, deploy.ps1, or download scripts as administrator unless you have obtained and inspected them from a trusted source. Prefer a manual virtual environment with pinned dependencies, verify the Hugging Face model source, and be aware that the packaged code appears to be a mock TTS implementation rather than the advertised full voice-cloning system.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Following the recommended setup could run installer code that was not included in the reviewed skill package.
The guide recommends an administrator one-click installer, but the provided file manifest does not include install.bat or the referenced deploy/download scripts, leaving users dependent on unreviewed external or local code.
选项 1:一键安装(推荐) ... # 以管理员身份运行 ... E:\桌面\openclaw-main\workspace\lux-tts\install.bat
Do not run missing installer scripts blindly; obtain them from a trusted source, inspect them first, and prefer a pinned manual virtual-environment install.
An administrator installer can modify the system broadly if the referenced script is unsafe or replaced.
Administrator execution is requested for installation, but the artifacts do not justify why a local TTS integration needs elevated privileges, and the referenced script is not provided for review.
# 以管理员身份运行 ... E:\桌面\openclaw-main\workspace\lux-tts\install.bat
Avoid administrator execution unless absolutely necessary and only after reviewing the exact installer contents.
A user could be induced to run an unreviewed PowerShell script with reduced execution-policy protections.
The guide suggests bypassing PowerShell execution policy for a deployment script that is not included in the reviewed artifacts; this is user-directed setup, but it weakens a local script-execution safeguard.
powershell -ExecutionPolicy Bypass -File deploy.ps1
Use normal execution policy where possible, inspect the script, verify its source, and avoid bypass flags for unknown setup files.
Users may trust the skill to provide real high-quality voice cloning when the packaged implementation may only provide a mock/test generator.
The code discloses that the included ready implementation is a simulated version generating mock audio, while the skill description advertises a high-quality LuxTTS model with voice cloning.
完全可用的 LuxTTS 模拟版本 ... 未来可以无缝替换为真实模型 ... # 生成模拟音频
Clearly label the skill as a simulator or include the real model integration, and avoid relying on it for production TTS until verified.
Incorrect or unsafe paths could copy or overwrite local files in the voice directory.
The voice-management helper copies user-selected audio files into the persistent voices directory; this is purpose-aligned for voice cloning, but path/name choices should remain user-controlled and reviewed.
target_path = os.path.join(voices_dir, name) ... shutil.copy2(audio_path, target_path)
Only add trusted voice files and use simple filenames rather than absolute or traversal-style paths.