coze-voice-gen 安全扫描报告 — 可信 | ClawSafe

5 /100

coze-voice-gen

Text-to-Speech (TTS) and Speech-to-Text (ASR) using coze-coding-dev-sdk

This is a legitimate TTS/ASR voice processing skill using coze-coding-dev-sdk with no malicious indicators found.

技能名称coze-voice-gen

分析耗时23.8s

引擎pi

✓

可以安装

This skill is safe to use. No security concerns identified.

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md line 1: uses npx ts-node for execution
文件系统	`READ`	`READ`	✓ 一致	asr.ts line 71: fs.readFileSync - only user-specified files
网络访问	`READ`	`READ`	✓ 一致	SDK communicates with coze.com API
环境变量	`NONE`	`NONE`	—	No environment variable access detected
技能调用	`NONE`	`NONE`	—	No inter-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

1 项发现

🔗

中危外部 URL 外部 URL

https://www.coze.com

SKILL.md:4

目录结构

3 文件 · 10.9 KB · 400 行

TypeScript 2f · 262L Markdown 1f · 138L

├─ ▾ 📁 scripts

│ ├─ 📜 asr.ts TypeScript 132L · 3.3 KB

│ └─ 📜 tts.ts TypeScript 130L · 4.0 KB

└─ 📝 SKILL.md Markdown 138L · 3.6 KB

包名	版本	来源	已知漏洞	备注
`coze-coding-dev-sdk`	`*`	npm	否	External SDK - version not pinned, but standard npm package

✓ No credential harvesting or sensitive data exfiltration

✓ No base64-encoded obfuscation or eval() calls

✓ No remote script execution (curl|bash pattern)

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ File system access limited to user-specified audio files for ASR

✓ Documentation accurately reflects code functionality

✓ Uses a legitimate third-party SDK (coze-coding-dev-sdk) for voice processing

✓ No hidden instructions or prompt injection detected