xeontts 安全扫描报告 — 低风险 | ClawSafe

15 /100

xeontts

Xeon TTS — 本地语音合成技能，面向 OpenClaw QQBOT 的音色克隆与风格化 TTS 工作流

A legitimate TTS voice-cloning skill with no malicious behavior; base64 decoding is for decoding audio responses, shell scripts handle standard Python/Node environment setup, and model downloads target only HuggingFace. Minor concerns are undocumented shell execution and unpinned Python dependencies.

技能名称xeontts

分析耗时40.1s

引擎pi

✓

可以安装

Document shell execution in SKILL.md and pin Python package versions in setup_env.sh for reproducibility.

安全发现 5 项

严重性	安全发现	位置
低危	Shell execution not declared in SKILL.md SKILL.md does not list any allowed-tools. Multiple scripts (setup_env.sh, install.sh, configure_openclaw_integration.sh) execute shell commands (conda setup, pip install, node config patching) which require shell:WRITE capability. `No allowed-tools section present` → Add an allowed-tools section declaring Bash for skill execution, Read and Write for filesystem operations, and network access for local Flask TTS.	`SKILL.md:1`
低危	Python package version not pinned setup_env.sh installs xdp-tts-service via pip without a version specifier, relying on XDP_TTS_PIP_SPEC environment variable. This can result in non-deterministic installs. `pip install -q --upgrade "$TTS_PIP_SPEC"` → Pin to a specific version: pip install -q xdp-tts-service==X.Y.Z	`setup_env.sh:134`
提示	Base64 audio decoding is legitimate The pre-scan flagged Buffer.from(result.audio_base64, 'base64') as critical. This is normal TTS behavior: the Flask service returns audio as base64 and server.js decodes it to write a .wav file. No code obfuscation or suspicious use of base64 is present. `fs.writeFileSync(outputPath, Buffer.from(result.audio_base64, 'base64'))` → No action needed; this is expected audio handling.	`server.js:513`
提示	Miniconda installed to home directory setup_env.sh downloads and installs Miniconda3 to $HOME/miniconda3. This is standard Python environment management for ML workloads. `wget --timeout=120 -q "$conda_url" -O /tmp/miniconda.sh` → No action needed; this is standard ML tooling.	`setup_env.sh:110`
提示	No sensitive data access or exfiltration The skill has no code that accesses SSH keys, AWS credentials, .env files, or other sensitive paths. Network calls are limited to localhost (Flask TTS) and HuggingFace (model downloads). No external IP exfiltration. `Full review: no os.environ iteration, no ~/.ssh, no .env access, no curl-to-external-IP` → No action needed.	`server.js:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`WRITE`	✓ 一致	setup_env.sh:1 - writes config files, tts_config.json, runtime dirs
命令执行	`NONE`	`WRITE`	✓ 一致	setup_env.sh, install.sh, configure_openclaw_integration.sh - bash scripts insta…
网络访问	`READ`	`READ`	✓ 一致	server.js:495 - fetch to Flask TTS at 127.0.0.1:5002; setup_env.sh downloads fro…
环境变量	`NONE`	`READ`	✓ 一致	setup_env.sh reads BASE_MODEL_PATH, HF_ENDPOINT, etc.

2 严重 14 项发现

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(result.audio_base64, 'base64'

server.js:513

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(data.audio_base64, 'base64'

server.js:557

🔗

中危外部 URL 外部 URL

http://127.0.0.1:5002/api/tts/synthesize

.clawhub.json:13

🔗

中危外部 URL 外部 URL

http://127.0.0.1:5002/api/health

README.md:164

🔗

中危外部 URL 外部 URL

http://127.0.0.1:9002/health

README.md:194

🔗

中危外部 URL 外部 URL

http://127.0.0.1:9002/api/workflow/message

README.md:202

🔗

中危外部 URL 外部 URL

http://127.0.0.1:9002/api/workflow/reference-audio

README.md:210

🔗

中危外部 URL 外部 URL

http://127.0.0.1:9002/api/tts/custom-speak

README.md:227

🔗

中危外部 URL 外部 URL

http://127.0.0.1:9002

SKILL.md:119

🔗

中危外部 URL 外部 URL

https://paulmillr.com/funding/

package-lock.json:27

🔗

中危外部 URL 外部 URL

https://ko-fi.com/tunnckoCore/commissions

package-lock.json:69

🔗

中危外部 URL 外部 URL

http://127.0.0.1

server.js:685

🔗

中危外部 URL 外部 URL

https://hf-mirror.com

setup_env.sh:4

🔗

中危外部 URL 外部 URL

https://repo.anaconda.com/miniconda/Miniconda3-py310_23.11.0-2-Linux-x86_64.sh

setup_env.sh:110

目录结构

17 文件 · 71.5 KB · 2183 行

JavaScript 1f · 824L Shell 8f · 733L Markdown 2f · 434L JSON 6f · 192L

├─ 📋 _meta.json JSON 6L · 127 B

├─ 📋 .clawhub.json JSON 27L · 1010 B

├─ 📋 config.example.json JSON 21L · 698 B

├─ 🔧 configure_openclaw_integration.sh Shell 81L · 2.4 KB

├─ 🔧 install_systemd_services.sh Shell 62L · 1.8 KB

├─ 🔧 install.sh Shell 54L · 1.3 KB

├─ 📋 package-lock.json JSON 88L · 2.8 KB

├─ 📋 package.json JSON 22L · 690 B

├─ 📝 README.md Markdown 270L · 8.7 KB

├─ 🔧 self_check.sh Shell 86L · 3.1 KB

├─ 📜 server.js JavaScript 824L · 29.0 KB

├─ 🔧 setup_env.sh Shell 338L · 10.7 KB

├─ 📝 SKILL.md Markdown 164L · 5.1 KB

├─ 🔧 start_all.sh Shell 48L · 1.3 KB

├─ 🔧 start_tts_service.sh Shell 45L · 1.4 KB

├─ 🔧 stop_tts.sh Shell 19L · 509 B

└─ 📋 tts_config.example.json JSON 28L · 988 B

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`xdp-tts-service`	`* (unpinned)`	pip	否	Package version controlled by XDP_TTS_PIP_SPEC env var; not pinned
`formidable`	`^3.5.4`	npm	否	Used for multipart file upload parsing in server.js

安全亮点

✓ No credential harvesting — no access to ~/.ssh, ~/.aws, .env, or environment variable iteration for secrets

✓ No data exfiltration — no POST to external IPs, no encoded network beacons

✓ No reverse shell or remote code execution vectors

✓ No hidden HTML comments or steganographic payloads

✓ No eval(), Function(), or dynamic code generation

✓ Base64 usage is exclusively for legitimate audio decode (Flask TTS returns base64-encoded WAV)

✓ Local network calls restricted to 127.0.0.1 (Flask TTS service)

✓ Config backup created before modification (configure_openclaw_integration.sh)

✓ File retention auto-cleanup prevents unbounded disk growth

✓ Explicit STT guard prevents misuse of TTS skill for ASR workloads