by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill is suspicious because its documentation promises automatic Pinyin→Hanzi conversion and segmentation, but the included script only synthesizes audio for segments you must supply. Before installing or running: (1) ask the author to clarify where Pinyin detection/conversion is implemented or provide the code; (2) do not run the script as-is if it references another user's home (/home/jackie_chen_phong) — update paths to your workspace; (3) ensure edge-tts and ffmpeg are installed from tr...详细分析 ▾
⚠ 用途与能力
The skill claims 'Intelligent Pinyin Conversion' and automatic language segmentation, but the included Python script does not implement any Pinyin detection or conversion — it simply expects a JSON array of segments. Additionally, the SKILL.md and script hardcode absolute paths tied to a specific user (/home/jackie_chen_phong and /home/jackie_chen_phong/.local/bin/edge-tts), which is unrelated to the TTS algorithmic claim and suggests poor packaging or a mismatch between author environment and expected runtime.
⚠ 指令范围
SKILL.md instructs the agent to detect Pinyin, convert to Hanzi, strip emojis, and segment text before calling the script. Those preprocessing steps are not present in scripts/smart_speak.py, so the agent (or integrator) must perform them itself. The instructions also require using an absolute workspace path and assume edge-tts exists at a hardcoded user path — both grant broad assumptions about the host filesystem and agent behavior that are outside the skill's stated purpose.
ℹ 安装机制
There is no install spec (instruction-only with a bundled script). That is low-risk in general, but the script depends on external binaries (edge-tts and ffmpeg) without providing installation instructions. The script assumes edge-tts is at a specific user location, which is brittle and may hide unauthorized dependency expectations if blindly executed.
⚠ 凭证需求
The manifest declares no credentials or env vars (good), but the SKILL.md and script hardcode a particular user's home and local binary path. Requesting or assuming access to a specific home directory is disproportionate and possibly inappropriate for a generic skill; it could cause accidental access to user-specific data or failures if that path doesn't exist.
✓ 持久化与权限
The skill is not always-enabled and does not request elevated platform privileges. It does execute local binaries (edge-tts, ffmpeg) and writes output to disk within the workspace, which is expected for a TTS merging utility.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/12
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install smart-speak-vutran
镜像加速npx clawhub@latest install smart-speak-vutran --registry https://cn.longxiaskill.com镜像同步中