speech-synthesizer 安全扫描报告 — 可信 | ClawSafe

5 /100

speech-synthesizer

文字转语音（Text-to-Speech）工具，支持 edge-tts 和 OpenAI 兼容 API TTS

This is a legitimate text-to-speech skill using edge-tts and OpenAI-compatible APIs. No malicious behavior detected.

技能名称speech-synthesizer

分析耗时33.5s

引擎pi

✓

可以安装

Skill is safe to use. Consider documenting the network access requirement more explicitly in SKILL.md.

安全发现 1 项

严重性	安全发现	位置
低危	Incomplete allowed-tools declaration SKILL.md declares filesystem access but does not list 'network:READ' for edge-tts service calls or OpenAI API calls. The code legitimately requires network access for TTS functionality. `allowed-tools mapping not present in frontmatter` → Add 'WebFetch → network:READ' to allowed-tools if documenting capability model	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`WRITE`	✓ 一致	scripts/tts_simple.py:115 - writes to projects/tts/output/
网络访问	`NONE`	`READ`	✗ 越权	scripts/tts_simple.py:52 - calls edge-tts service
环境变量	`READ`	`READ`	✓ 一致	scripts/tts_simple.py:101-102 - reads TTS_API_URL and TTS_API_KEY

1 项发现

🔗

中危外部 URL 外部 URL

https://www.bing.com

SKILL.md:230

4 文件 · 19.0 KB · 620 行

Python 2f · 331L Markdown 1f · 276L Text 1f · 13L

├─ ▾ 📁 scripts

│ ├─ 🐍 tts_edge.py Python 126L · 4.4 KB

│ └─ 🐍 tts_simple.py Python 205L · 6.8 KB

├─ 📄 requirements.txt Text 13L · 873 B

└─ 📝 SKILL.md Markdown 276L · 7.0 KB

包名	版本	来源	已知漏洞	备注
`edge-tts`	`>=7.0.0`	pip	否	Standard Microsoft Neural TTS library
`openai`	`>=1.0.0`	pip	否	Official OpenAI Python client
`aiohttp`	`>=3.8.0`	pip	否	HTTP client library, transitive dep

✓ No shell execution (subprocess, os.system, etc.)

✓ No credential harvesting or exfiltration - API key used only for legitimate TTS API calls

✓ No base64/eval obfuscation patterns

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No remote script execution (curl|bash, wget|sh)

✓ Clean, straightforward TTS implementation

✓ Dependencies are standard legitimate libraries (edge-tts, openai)