扫描报告
5 /100
smart-tts
智能语音合成。自动尝试多种模型/音色,直到成功。解决 418 资源未开通问题。
A straightforward TTS wrapper using the Dashscope SDK with no malicious behavior detected — reads one declared API key, calls a legitimate Alibaba Cloud API, and writes output files to a declared workspace path.
可以安装
Approve for use. No security concerns require action.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Bare except clause swallows errors 代码执行 | scripts/generate.py:55 |
| 提示 | expanduser with fixed path is safe 权限提升 | scripts/generate.py:32 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | WRITE | WRITE | ✓ 一致 | generate.py:line~52 writes to ~/.openclaw/workspace/tts_output.wav |
| 网络访问 | READ | READ | ✓ 一致 | dashscope SDK makes outbound HTTPS calls to Alibaba Cloud Dashscope API |
| 环境变量 | READ | READ | ✓ 一致 | generate.py:12-14 reads DASHSCOPE_API_KEY from os.environ |
| 命令执行 | NONE | NONE | — | No subprocess, os.system, or shell execution found |
| 凭证窃取 | NONE | NONE | — | API key used only for authenticated TTS API calls to Dashscope |
目录结构
3 文件 · 7.4 KB · 258 行 Python 2f · 203L
Markdown 1f · 55L
├─
▾
scripts
│ ├─
batch.py
Python
│ └─
generate.py
Python
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
dashscope | unpinned | pip | 否 | Version not pinned in SKILL.md or code — recommend pinning for reproducibility |
安全亮点
✓ No subprocess, shell, or command execution
✓ No obfuscation (no base64, eval, or dynamic code generation)
✓ No credential exfiltration — API key sent only to declared Alibaba Cloud Dashscope API
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)
✓ No data exfiltration or C2 communication
✓ No hidden functionality — code is readable and matches stated purpose
✓ SDK dependency (dashscope) is a known legitimate Alibaba Cloud library