← 返回 Skills 市场
iFlytek Ultra-Realistic TTS
作者
jpengcheng523-netizen
· GitHub ↗
· v1.0.0
· MIT-0
151
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install xfyun-tts
功能描述
iFlytek Ultra-Realistic TTS (超拟人语音合成) — synthesize natural, expressive speech from text using iFlytek's ultra-realistic voice synthesis API. Supports 50+ voi...
安全使用建议
This skill appears to implement the claimed iFlytek TTS functionality, but there are two issues you should consider before installing or using it:
1) Metadata mismatch — The registry entry claims no required environment variables, but SKILL.md and the bundled script require XFYUN_APP_ID, XFYUN_API_KEY, and XFYUN_API_SECRET. Do not provide sensitive credentials unless you trust the publisher. Ask the maintainer to fix the metadata so the required secrets are visible up front.
2) Insecure TLS — The Python WebSocket client in scripts/tts.py explicitly disables TLS certificate verification (check_hostname=False and verify_mode=ssl.CERT_NONE). This can enable man-in-the-middle attacks that could capture your API keys or audio data. Request a version that validates certificates, or run the script only in a controlled environment or over a trusted network. Prefer using an official SDK or a verified client that performs proper TLS validation.
Other suggestions:
- Verify the endpoint host and that it matches the official provider; confirm the code hasn’t been tampered with (no homepage/source is provided).
- Inspect the remainder of scripts/tts.py (file was truncated in the listing) to ensure there is no hidden data exfiltration or logging of secrets.
- Limit the API key permissions (use least privilege) and consider creating a dedicated test account/keys for evaluation.
Given these issues, treat the skill with caution. The problems look like sloppy or risky engineering rather than clear malicious intent, but they are serious enough to delay use until corrected.
功能分析
Type: OpenClaw Skill
Name: xfyun-tts
Version: 1.0.0
The script scripts/tts.py implements a custom WebSocket client to interact with iFlytek's TTS API but explicitly disables SSL certificate verification (ssl.CERT_NONE), which is a significant security vulnerability allowing for potential man-in-the-middle attacks. While the code appears to align with its stated purpose of speech synthesis and uses only standard libraries, the intentional bypass of transport security warrants a suspicious classification.
能力评估
Purpose & Capability
The skill's name/description (iFlytek Ultra-Realistic TTS) matches the code and SKILL.md: it implements a WebSocket-based TTS client for the stated endpoint. However, registry metadata lists no required environment variables while SKILL.md and scripts/tts.py clearly require XFYUN_APP_ID, XFYUN_API_KEY, and XFYUN_API_SECRET. That metadata omission is an incoherence that could mislead users into installing without realizing credentials are needed.
Instruction Scope
The runtime instructions and code scope are limited to reading text (positional arg, file, or stdin), contacting the iFlytek WebSocket endpoint, and writing an audio file — that is coherent for TTS. However, the included client disables TLS verification (ctx.check_hostname = False and ctx.verify_mode = ssl.CERT_NONE), which weakens transport security and could allow a man-in-the-middle to observe or tamper with content or credentials. The code also constructs raw WebSocket frames and performs network I/O directly; while not inherently malicious, the insecure TLS setting is a significant concern.
Install Mechanism
No install spec is provided (instruction-only with a bundled Python script). No external packages or downloads are required; the project claims to use only Python stdlib, which the script reflects. This is low install risk, but because the source/homepage is unknown, provenance is limited.
Credentials
The TTS service legitimately requires credentials (app id, api key, api secret) which the SKILL.md and script request. That by itself is proportionate to a cloud TTS client. The problem is the registry metadata incorrectly declares no required env vars — an inconsistency that may hide the need to supply sensitive credentials. Requesting three service-specific secrets is expected for this purpose, but the missing metadata and lack of a declared primary credential are problematic for safe deployment.
Persistence & Privilege
The skill does not request persistent presence (always: false) and does not modify other skills or system settings. It is user-invocable and can be invoked autonomously by the agent (default), which is normal and not a sole basis for concern.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xfyun-tts - 安装完成后,直接呼叫该 Skill 的名称或使用
/xfyun-tts触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial publish - iFlytek ultra-realistic voice synthesis
元数据
常见问题
iFlytek Ultra-Realistic TTS 是什么?
iFlytek Ultra-Realistic TTS (超拟人语音合成) — synthesize natural, expressive speech from text using iFlytek's ultra-realistic voice synthesis API. Supports 50+ voi... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 151 次。
如何安装 iFlytek Ultra-Realistic TTS?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xfyun-tts」即可一键安装,无需额外配置。
iFlytek Ultra-Realistic TTS 是免费的吗?
是的,iFlytek Ultra-Realistic TTS 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
iFlytek Ultra-Realistic TTS 支持哪些平台?
iFlytek Ultra-Realistic TTS 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 iFlytek Ultra-Realistic TTS?
由 jpengcheng523-netizen(@jpengcheng523-netizen)开发并维护,当前版本 v1.0.0。
推荐 Skills