Scan Report
5 /100
smart-tts
智能语音合成。自动尝试多种模型/音色,直到成功。解决 418 资源未开通问题。
A straightforward TTS wrapper using the Dashscope SDK with no malicious behavior detected — reads one declared API key, calls a legitimate Alibaba Cloud API, and writes output files to a declared workspace path.
Safe to install
Approve for use. No security concerns require action.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Bare except clause swallows errors RCE | scripts/generate.py:55 |
| Info | expanduser with fixed path is safe Priv Escalation | scripts/generate.py:32 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | generate.py:line~52 writes to ~/.openclaw/workspace/tts_output.wav |
| Network | READ | READ | ✓ Aligned | dashscope SDK makes outbound HTTPS calls to Alibaba Cloud Dashscope API |
| Environment | READ | READ | ✓ Aligned | generate.py:12-14 reads DASHSCOPE_API_KEY from os.environ |
| Shell | NONE | NONE | — | No subprocess, os.system, or shell execution found |
| credential_theft | NONE | NONE | — | API key used only for authenticated TTS API calls to Dashscope |
File Tree
3 files · 7.4 KB · 258 lines Python 2f · 203L
Markdown 1f · 55L
├─
▾
scripts
│ ├─
batch.py
Python
│ └─
generate.py
Python
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
dashscope | unpinned | pip | No | Version not pinned in SKILL.md or code — recommend pinning for reproducibility |
Security Positives
✓ No subprocess, shell, or command execution
✓ No obfuscation (no base64, eval, or dynamic code generation)
✓ No credential exfiltration — API key sent only to declared Alibaba Cloud Dashscope API
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)
✓ No data exfiltration or C2 communication
✓ No hidden functionality — code is readable and matches stated purpose
✓ SDK dependency (dashscope) is a known legitimate Alibaba Cloud library