Generate audio replies using TTS. Trigger with "read it to me [public URL]" to fetch and read content aloud, or "talk to me [topic]" to generate a spoken res...
Security Analysis
high confidenceThe skill is internally consistent: it implements local TTS on macOS using the uv tool, fetches public URLs under clearly-stated guardrails, and only requires installing uv via Homebrew — nothing requested looks disproportionate to the stated purpose.
Name/description (local TTS, read public URLs, conversational audio) align with requirements: macOS-only, requires the 'uv' binary, and uses a local MLX Audio model. Requesting a TTS runtime (uv) is appropriate for the stated functionality.
SKILL.md instructs the agent to validate and fetch http(s) URLs, extract text, generate TTS via 'uv run', play audio, and clean up temp files. The skill includes explicit safety guardrails (block localhost/RFC1918/private ranges, refuse credential-bearing URLs, summarize long pages). Because this is instruction-only, proper enforcement of those guardrails depends on the agent following them — the instructions are scoped to the stated purpose but rely on the agent to perform correct URL validation and not to leak data.
Install spec uses Homebrew to install 'uv' (astral-sh/uv), a known package manager tool; this is an expected, low-risk install mechanism for macOS. No arbitrary download URLs or extracted archives are specified.
The skill requests no environment variables, no credentials, and no config paths. This is proportional to a local TTS reader that operates on public web pages and generated text.
always is false and the skill is user-invocable only. It does not request permanent presence or elevated system configuration changes and does not modify other skills' settings.
Guidance
This skill appears to do exactly what it says: run local TTS on macOS and read public web pages. Before installing: (1) verify you trust the 'uv' package source (install via Homebrew or the official Astral installer), (2) expect a ~500MB model download from Hugging Face the first run and ensure disk space, (3) avoid feeding private/authenticated URLs or secrets (the skill relies on the agent to enforce guardrails), and (4) confirm your environment policy allows external URL fetching. If you need stricter guarantees, review or test the agent's URL-validation implementation and network restrictions before using the "read it to me" feature.
Latest Release
v1.1.0
- Added a README.md file with introductory and usage information. - Updated SKILL.md with clearer safety guardrails for fetching URLs, including explicit restrictions on local/private/internal addresses and sensitive links. - Strengthened privacy guidance: refuse to process private/authenticated content and warn about potential persistence in chat history. - Expanded installation metadata, now specifying support for Darwin (macOS), required tools, and Homebrew install instructions for dependencies. - Clarified implementation/safety steps and URL validation in both the documentation and example workflows.
More by @MaTriXy
Published by @MaTriXy on ClawHub
