v1.0.0

Lux Tts

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:46 AM.

Analysis

This local TTS skill mostly stays local, but it asks users to run unreviewed elevated installer scripts and the included implementation appears to be a simulator despite high-quality voice-cloning claims.

GuidanceReview this skill carefully before installing. Do not run the recommended administrator installer or PowerShell bypass commands unless you can inspect the missing scripts and trust their source. Treat the included code as a local simulator unless the real LuxTTS components are separately verified, and avoid giving the tool arbitrary file paths or voice names.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityHighConfidenceHighStatusConcern

INSTALL_GUIDE.md

一键安装（推荐）... # 以管理员身份运行 ... install.bat ... powershell -ExecutionPolicy Bypass -File deploy.ps1

The guide recommends elevated installer execution and PowerShell policy bypass for scripts that are not included in the provided file manifest, creating an unreviewed-code provenance gap.

User impactFollowing the recommended install path could run unreviewed code with administrator privileges on the user’s machine.

RecommendationProvide the installer scripts in the package, avoid administrator execution unless strictly necessary, document exactly what they do, and pin or verify downloaded dependencies and model files.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

lux_tts_ready.py

完全可用的 LuxTTS 模拟版本 ... 生成基础音频（模拟语音） ... audio = 0.4 * np.sin(...)

The included implementation says it is a simulated version and generates synthetic sine-wave audio, which conflicts with the skill’s high-quality LuxTTS and voice-cloning marketing claims.

User impactA user may install the skill expecting real high-quality voice cloning, while the reviewed code may only produce placeholder audio unless separate unreviewed components are installed.

RecommendationClearly label the package as a simulator or include the real reviewed implementation, and separate demo behavior from production capability claims.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

lux_tts_tool.py

target_path = os.path.join(voices_dir, name) ... shutil.copy2(audio_path, target_path)

The voice-add method builds a destination path from a caller-controlled name without showing checks against absolute paths, '..' traversal, or overwrites.

User impactIf the agent or a user supplies an unsafe voice name, the skill could copy files outside the intended voices directory and potentially overwrite local files.

RecommendationRestrict voice names to safe basenames, reject absolute paths and traversal, keep writes inside the voices directory, and require confirmation before overwriting files.