← 返回 Skills 市场

Voice

Name: Voice
Author: zhaov1976

作者 zhaov · GitHub ↗ · v1.0.1

cross-platform ⚠ suspicious

2937

总下载

当前安装

版本数

在 OpenClaw 中安装

/install voice

功能描述

Convert text to speech using Microsoft Edge's TTS engine with customizable voices, direct playback, and automatic temporary file cleanup.

安全使用建议

This skill appears to do what it says (edge-tts TTS + playback), but the implementation builds and executes shell command strings with user-provided text. That creates a real command-injection risk: a maliciously crafted input could execute arbitrary shell commands on the host. Before installing or enabling this skill in sensitive environments, consider the following: - Do not run it on production systems or hosts with sensitive data until reviewed or sandboxed. - Inspect and/or modify the code to avoid exec with a concatenated command string. Safer alternatives: - Use child_process.spawn with an argument array (no shell) or spawnFile so the text is passed as an argument rather than interpolated into a shell command. - Or call the Python API (edge-tts package) from a subprocess with structured arguments or via an RPC/worker, avoiding shell interpolation. - Properly escape or validate user text (but escaping is easy to get wrong; prefer avoiding the shell entirely). - Consider changing the temp directory to a skill-local, non-shared path and ensure it cannot traverse outside the skill folder. The code currently writes to path.join(__dirname, '..', '..', 'temp'), which may be broader than expected. - Avoid running the 'install' action automatically; perform dependency installation manually in a controlled environment. If you are not able to patch the code, run the skill only in an isolated sandbox or container and avoid giving it access to sensitive files or credentials.

功能分析

Type: OpenClaw Skill Name: voice Version: 1.0.1 The skill is classified as suspicious due to a critical command injection vulnerability in the `playAudio` function within `index.js`. Specifically, when playing audio on Windows, the `filePath` parameter is directly embedded into a PowerShell command string without sufficient sanitization, allowing for arbitrary command execution if a malicious `filePath` is provided. The `SKILL.md` and `README.md` explicitly document the `play` action with a user-controlled `filePath`, making this vulnerability easily exploitable by a malicious agent or user.

能力评估

✓ Purpose & Capability

The name, SKILL.md, package.json and code all describe a TTS skill using edge-tts. Requested dependencies and behaviors (generate audio, play files, cleanup) are consistent with the stated purpose.

⚠ Instruction Scope

The runtime instructions and code run shell commands (execAsync) to call the edge-tts CLI and to install dependencies. The edge-tts invocation is built as a single shell command string that includes untrusted user text; because exec runs via a shell, constructs like $(...), `...`, or other shell metacharacters inside the text can result in arbitrary command execution (command injection). The skill also spawns system audio players and writes/cleans files under a temp directory two levels above the skill directory, which is surprising and should be reviewed.

ℹ Install Mechanism

There is no package install spec in the registry metadata, but the skill's code and SKILL.md instruct users (and provide an 'install' action) to run `pip3 install edge-tts`. Installing via pip is expected for this functionality, but runtime installation (exec of pip3) means the agent will perform network installs and execute whatever the installer does — acceptable for a TTS skill but worth noting.

✓ Credentials

The skill requests no environment variables or credentials. No unrelated secrets are requested. The main risk is filesystem and shell invocation rather than excessive credential access.

✓ Persistence & Privilege

The skill is not always-included and does not request elevated platform privileges. It doesn't modify other skills or global agent config. Its temporary file management and install action affect only local FS and pip.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install voice
安装完成后，直接呼叫该 Skill 的名称或使用 /voice 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

- Added CHANGELOG.md and README.md files for clearer documentation. - Updated skill features and usage: introduced direct speaking ("speak" action), playback ("play" action), and voice listing ("voices" action). - Enhanced control over file cleanup timing and playback behavior. - Updated supported options and voices to provide more flexibility and broader language support. - Revised and improved SKILL.md documentation to reflect these enhancements.

v1.0.0

Initial release of the Voice skill. - Adds text-to-speech conversion using Microsoft Edge's TTS engine. - Supports multiple voice options and customizable audio settings (voice, rate, volume, pitch). - Integrates with the MEDIA system for audio playback. - Automatically manages and cleans up temporary audio files. - Includes actions for both TTS and manual or scheduled file cleanup.

元数据

Slug voice

版本 1.0.1

许可证 —

累计安装 19

当前安装数 18

历史版本数 2

常见问题

Voice 是什么？

Convert text to speech using Microsoft Edge's TTS engine with customizable voices, direct playback, and automatic temporary file cleanup. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 2937 次。

如何安装 Voice？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install voice」即可一键安装，无需额外配置。

Voice 是免费的吗？

是的，Voice 完全免费（开源免费），可自由下载、安装和使用。

Voice 支持哪些平台？

Voice 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Voice？

由 zhaov（@zhaov1976）开发并维护，当前版本 v1.0.1。