← Back to Skills Marketplace
iFlytek Ultra-Realistic TTS
by
jpengcheng523-netizen
· GitHub ↗
· v1.0.0
· MIT-0
151
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install xfyun-tts
Description
iFlytek Ultra-Realistic TTS (超拟人语音合成) — synthesize natural, expressive speech from text using iFlytek's ultra-realistic voice synthesis API. Supports 50+ voi...
Usage Guidance
This skill appears to implement the claimed iFlytek TTS functionality, but there are two issues you should consider before installing or using it:
1) Metadata mismatch — The registry entry claims no required environment variables, but SKILL.md and the bundled script require XFYUN_APP_ID, XFYUN_API_KEY, and XFYUN_API_SECRET. Do not provide sensitive credentials unless you trust the publisher. Ask the maintainer to fix the metadata so the required secrets are visible up front.
2) Insecure TLS — The Python WebSocket client in scripts/tts.py explicitly disables TLS certificate verification (check_hostname=False and verify_mode=ssl.CERT_NONE). This can enable man-in-the-middle attacks that could capture your API keys or audio data. Request a version that validates certificates, or run the script only in a controlled environment or over a trusted network. Prefer using an official SDK or a verified client that performs proper TLS validation.
Other suggestions:
- Verify the endpoint host and that it matches the official provider; confirm the code hasn’t been tampered with (no homepage/source is provided).
- Inspect the remainder of scripts/tts.py (file was truncated in the listing) to ensure there is no hidden data exfiltration or logging of secrets.
- Limit the API key permissions (use least privilege) and consider creating a dedicated test account/keys for evaluation.
Given these issues, treat the skill with caution. The problems look like sloppy or risky engineering rather than clear malicious intent, but they are serious enough to delay use until corrected.
Capability Analysis
Type: OpenClaw Skill
Name: xfyun-tts
Version: 1.0.0
The script scripts/tts.py implements a custom WebSocket client to interact with iFlytek's TTS API but explicitly disables SSL certificate verification (ssl.CERT_NONE), which is a significant security vulnerability allowing for potential man-in-the-middle attacks. While the code appears to align with its stated purpose of speech synthesis and uses only standard libraries, the intentional bypass of transport security warrants a suspicious classification.
Capability Assessment
Purpose & Capability
The skill's name/description (iFlytek Ultra-Realistic TTS) matches the code and SKILL.md: it implements a WebSocket-based TTS client for the stated endpoint. However, registry metadata lists no required environment variables while SKILL.md and scripts/tts.py clearly require XFYUN_APP_ID, XFYUN_API_KEY, and XFYUN_API_SECRET. That metadata omission is an incoherence that could mislead users into installing without realizing credentials are needed.
Instruction Scope
The runtime instructions and code scope are limited to reading text (positional arg, file, or stdin), contacting the iFlytek WebSocket endpoint, and writing an audio file — that is coherent for TTS. However, the included client disables TLS verification (ctx.check_hostname = False and ctx.verify_mode = ssl.CERT_NONE), which weakens transport security and could allow a man-in-the-middle to observe or tamper with content or credentials. The code also constructs raw WebSocket frames and performs network I/O directly; while not inherently malicious, the insecure TLS setting is a significant concern.
Install Mechanism
No install spec is provided (instruction-only with a bundled Python script). No external packages or downloads are required; the project claims to use only Python stdlib, which the script reflects. This is low install risk, but because the source/homepage is unknown, provenance is limited.
Credentials
The TTS service legitimately requires credentials (app id, api key, api secret) which the SKILL.md and script request. That by itself is proportionate to a cloud TTS client. The problem is the registry metadata incorrectly declares no required env vars — an inconsistency that may hide the need to supply sensitive credentials. Requesting three service-specific secrets is expected for this purpose, but the missing metadata and lack of a declared primary credential are problematic for safe deployment.
Persistence & Privilege
The skill does not request persistent presence (always: false) and does not modify other skills or system settings. It is user-invocable and can be invoked autonomously by the agent (default), which is normal and not a sole basis for concern.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xfyun-tts - After installation, invoke the skill by name or use
/xfyun-tts - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial publish - iFlytek ultra-realistic voice synthesis
Metadata
Frequently Asked Questions
What is iFlytek Ultra-Realistic TTS?
iFlytek Ultra-Realistic TTS (超拟人语音合成) — synthesize natural, expressive speech from text using iFlytek's ultra-realistic voice synthesis API. Supports 50+ voi... It is an AI Agent Skill for Claude Code / OpenClaw, with 151 downloads so far.
How do I install iFlytek Ultra-Realistic TTS?
Run "/install xfyun-tts" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is iFlytek Ultra-Realistic TTS free?
Yes, iFlytek Ultra-Realistic TTS is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does iFlytek Ultra-Realistic TTS support?
iFlytek Ultra-Realistic TTS is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created iFlytek Ultra-Realistic TTS?
It is built and maintained by jpengcheng523-netizen (@jpengcheng523-netizen); the current version is v1.0.0.
More Skills