Voice (Edge TTS)

Convert text to speech using Microsoft Edge TTS with real-time streaming, customizable voice settings, and support for multiple languages including Chinese a...

This skill appears to be a legitimate Edge TTS tool but the implementation contradicts its security claims. Before installing or enabling it: 1) Do not run it in a sensitive environment until code is audited. 2) Fix the command-execution issues: replace execAsync(string) with spawn/execFile and consistently apply the voice whitelist for all actions. 3) Sanitize and/or restrict inputs used in any command or PowerShell -c invocation (the 'play' action accepts an arbitrary filePath). 4) Remove or correct the hardcoded ffplay path in stream_speak.py and ensure ffmpeg/ffplay usage is documented and optional. 5) Prefer pre-installing Python deps (pip install edge-tts) in a controlled environment rather than allowing runtime pip installs, and verify the source of any npm/pip packages (the package-lock references a non-default mirror). If you are not comfortable reviewing or changing code, avoid installing this skill or run it in an isolated sandbox.

Type: OpenClaw Skill Name: voice-edge-tts Version: 1.10.0 The `index.js` file contains a shell injection vulnerability in the `textToSpeech` function, which is used by the 'tts' and 'speak' actions. Parameters like `voice`, `rate`, `volume`, and `pitch` are concatenated directly into a command string executed via `util.promisify(exec)` without sufficient sanitization or validation, despite the `SKILL.md` and `CHANGELOG.md` explicitly claiming 'enterprise-grade security' and 'full command injection protection'. This allows for potential arbitrary command execution if an attacker can control these input options. While the 'stream' action is implemented securely using `spawn` with array arguments and input validation, the inconsistency and critical flaw in other core functionalities make this skill suspicious due to the severe vulnerability.