Is franklu0819-lang/zhipu-tts safe?

https://github.com/openclaw/skills/tree/main/skills/franklu0819-lang/zhipu-tts

87
SAFE

This is a legitimate text-to-speech skill that converts Chinese text to audio using Zhipu AI's GLM-TTS service. The skill is well-documented and implements expected TTS functionality without malicious behavior.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (4)

MEDIUM External API data transmission -25

The skill sends user-provided text input to an external Chinese TTS service (open.bigmodel.cn). While this is legitimate TTS functionality, it represents data leaving the local environment.

LOW Shell script execution -15

The skill includes an executable bash script for TTS functionality. The script is well-formed and appears legitimate.

LOW Third-party API dependency -20

Users must obtain and provide API keys for Zhipu AI service, creating external service dependency and potential privacy implications.

INFO Monitoring system file access -10

Sensitive files were accessed during the monitoring setup phase, not by the skill itself.