ifly-voiceclone-tts 安全扫描报告 — 低风险 | ClawSafe

20 /100

ifly-voiceclone-tts

iFlytek Voice Clone tts — train a custom voice model from audio samples and synthesize speech with the cloned voice using iFlytek's Voice Clone API. Pure Python stdlib, no pip dependencies.

Legitimate iFlytek voice cloning skill with no malicious behavior; minor documentation gaps exist between declared allowed tools and actual network/filesystem usage, but all code is clearly tied to documented functionality.

技能名称ifly-voiceclone-tts

分析耗时49.0s

引擎pi

✓

可以安装

Update SKILL.md to formally declare network and filesystem write permissions required for the iFlytek API workflow. Consider adding a small _meta.json with the capability map. No blocking security concerns identified.

安全发现 4 项

严重性	安全发现	位置
低危	Network access not formally declared in allowed-tools 文档欺骗 SKILL.md declares no allowed-tools, yet the Python script makes HTTP POST requests (urllib.request) and WebSocket connections to three iFlytek domains: opentrain.xfyousheng.com (training API), avatar-hci.xfyousheng.com (auth token), and cn-huabei-1.xf-yun.com (TTS WebSocket). All targets are documented in SKILL.md footnotes, but they are not mapped to allowed-tools. `No allowed-tools declaration present` → Add allowed-tools section to SKILL.md: WebFetch→network:READ, Read→filesystem:READ, Write→filesystem:WRITE	`SKILL.md:1`
低危	Filesystem write not formally declared in allowed-tools 文档欺骗 The script writes synthesized audio (MP3/PCM/etc.) to disk via open(output_path, 'wb'). SKILL.md does not declare filesystem:WRITE. This is necessary behavior but undocumented at the tool-permission level. `with open(output_path, 'wb') as f: f.write(audio_data)` → Declare filesystem:WRITE in allowed-tools mapping or clarify in documentation that output audio is written to disk	`scripts/voiceclone.py:368`
提示	API credentials read from environment — expected and declared 凭证窃取 The script reads IFLY_APP_ID, IFLY_API_KEY, IFLY_API_SECRET from os.environ. These are sent only to official iFlytek servers as part of normal API authentication. No exfiltration observed. `app_id = os.environ.get('IFLY_APP_ID'); api_key = os.environ.get('IFLY_API_KEY')` → No action needed. This is expected behavior for an API client tool.	`scripts/voiceclone.py:312`
提示	Local audio file read — expected and declared in SKILL.md 敏感访问 The script reads local audio files (wav/mp3/m4a/pcm) for upload to the training API. SKILL.md documents --audio flag. No exfiltration of audio data observed; it is sent only to the official iFlytek training endpoint. `with open(audio_path, 'rb') as f: audio_data = f.read()` → No action needed. This is a core feature of the voice cloning tool.	`scripts/voiceclone.py:337`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	scripts/voiceclone.py:337 — reads local audio files for upload
文件系统	`NONE`	`WRITE`	✗ 越权	scripts/voiceclone.py:368 — open(output_path, 'wb') writes MP3 audio
网络访问	`NONE`	`READ`	✗ 越权	scripts/voiceclone.py:50,57,62 — HTTP POSTs and WebSocket connections to iFlytek…
命令执行	`NONE`	`NONE`	—	No shell execution detected
环境变量	`NONE`	`READ`	✓ 一致	SKILL.md declares IFLY_APP_ID, IFLY_API_KEY, IFLY_API_SECRET env vars; code read…
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser access
数据库	`NONE`	`NONE`	—	No database access

7 项发现

🔗

中危外部 URL 外部 URL

https://console.xfyun.cn

SKILL.md:12

🔗

中危外部 URL 外部 URL

http://opentrain.xfyousheng.com/voice_train

SKILL.md:128

🔗

中危外部 URL 外部 URL

https://www.xfyun.cn/doc/spark/voiceclone.html

SKILL.md:137

🔗

中危外部 URL 外部 URL

https://console.xfyun.cn/workorder/commit

SKILL.md:163

🔗

中危外部 URL 外部 URL

https://console.xfyun.cn/services/oneSentenceV2

SKILL.md:207

🔗

中危外部 URL 外部 URL

https://console.xfyun.cn/sale/buy?wareId=9188&packageId=9188001&serviceName=%E4%B8%80%E5%8F%A5%E8%AF%9D%E5%A4%8D%E5%88%B...

SKILL.md:208

🔗

中危外部 URL 外部 URL

http://avatar-hci.xfyousheng.com/aiauth/v1/token

scripts/voiceclone.py:50

目录结构

2 文件 · 43.6 KB · 1082 行

Python 1f · 872L Markdown 1f · 210L

├─ ▾ 📁 scripts

│ └─ 🐍 voiceclone.py Python 872L · 32.7 KB

└─ 📝 SKILL.md Markdown 210L · 10.9 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`None (stdlib only)`	`N/A`	Python standard library	否	No pip dependencies — all imports are from the Python standard library (argparse, base64, hashlib, hmac, json, os, ssl, struct, sys, threading, time, urllib.parse, urllib.request, datetime, wsgiref.handlers)

安全亮点

✓ Pure Python stdlib only — no pip dependencies, no third-party packages, minimal supply chain risk

✓ All network targets are officially documented iFlytek endpoints; no rogue IP addresses or unknown domains

✓ No obfuscation techniques detected — code is readable, no base64-encoded payloads executed, no eval()

✓ No credential harvesting beyond what is required for iFlytek API authentication

✓ No sensitive path access (no ~/.ssh, ~/.aws, .env file reading)

✓ No persistence mechanisms (no cron, no startup hooks, no backdoors)

✓ No reverse shell, no C2 communication, no data exfiltration

✓ API keys are sent only to official iFlytek servers via standard HTTP/WebSocket protocols

✓ Well-structured code with clear separation of concerns (TrainClient, VoiceCloneSynthesizer, SimpleWebSocket)