Is lhuaizhong/cosyvoice3-macos safe?

https://github.com/openclaw/skills/tree/main/skills/lhuaizhong/cosyvoice3-macos

88
SAFE

This is a legitimate text-to-speech skill using Alibaba's CosyVoice3 for macOS Apple Silicon. The skill provides multilingual TTS capabilities with voice cloning features. While it downloads external dependencies and uses hardcoded paths, no malicious behavior was detected.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

MEDIUM Hardcoded file paths may cause failures -10

The skill uses hardcoded paths like '/Users/lhz/.openclaw/workspace/' that are specific to the author's system and may not exist on other machines

LOW Downloads and executes external installers -20

The installation script downloads and executes Miniconda installer and installs multiple Python packages, which could pose security risks if sources are compromised

LOW Large model downloads from external sources -5

Downloads approximately 5GB of ML models from ModelScope/Alibaba servers, requiring verification of source integrity

INFO Significant disk space requirements 0

The skill requires approximately 5GB of disk space for ML models which users should be aware of before installation