ClawHub

Zyt TTS

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Chanjing text-to-speech integration that uses local Chanjing credentials and sends requested text to Chanjing's API.

Install only if you are comfortable storing Chanjing API credentials locally and sending synthesis text to Chanjing. Use a dedicated/revocable API key if possible, keep the credentials file private, and verify the missing documented helper scripts before relying on the example commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation describes capabilities including environment-variable access, local file reads/writes, network calls, and shell script execution, but the manifest only declares env requirements and does not explicitly declare broader permissions. This creates a transparency and least-privilege issue: users or the platform may not realize the skill can touch local credential files and invoke scripts that make outbound requests.

Credential Access

High
Category
Privilege Escalation
Content
---
name: zyt-tts-test
description: Use Chanjing TTS API to convert text to speech by listing voices, creating synthesis tasks, and polling task status. This skill reads app_id and secret_key from ~/.chanjing/credentials.json or $CHANJING_CONFIG_DIR/credentials.json, refreshes access_token for API calls, and returns login guidance when credentials are missing or invalid.
metadata:
  openclaw:
    requires:
Confidence
93% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
---
name: zyt-tts-test
description: Use Chanjing TTS API to convert text to speech by listing voices, creating synthesis tasks, and polling task status. This skill reads app_id and secret_key from ~/.chanjing/credentials.json or $CHANJING_CONFIG_DIR/credentials.json, refreshes access_token for API calls, and returns login guidance when credentials are missing or invalid.
metadata:
  openclaw:
    requires:
Confidence
93% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
This skill reads credentials from:

- `~/.chanjing/credentials.json`
- or `$CHANJING_CONFIG_DIR/credentials.json`

The credentials file should contain:
Confidence
94% confidence
Finding
credentials.json

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal