Oathe Security Badge

Is ahmedeid5/openclaw-groq-orpheus-tts safe?

https://github.com/ahmedeid5/openclaw-groq-orpheus-tts

95
SAFE

This appears to be a legitimate text-to-speech skill that uses the Groq API to generate audio files. While it accessed some sensitive system files during installation, no exfiltration occurred and the code behavior matches the documented functionality.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (3)

LOW Accessed sensitive system files -15

The skill installation process accessed honeypot files including .env, SSH keys, AWS credentials, and other sensitive files. However, monitoring confirmed these files were not modified or exfiltrated.

LOW Contains executable code with external dependencies -5

The skill includes a Python script that makes HTTP requests to external APIs and executes system commands via subprocess. The code appears legitimate but represents potential attack surface.

INFO External service dependencies -10

The skill requires access to Groq's TTS API service and depends on system binaries like ffmpeg. This creates dependencies on external services that could pose availability or privacy considerations.