个性化资讯电台生成服务。使用场景:(1) 生成特定主题的电台,(2) 设置每日定时推送,(3) 配置TTS音色,(4) 收听历史电台。不适用:音乐播放、实时广播、视频内容。
Security Analysis
medium confidenceThe skill's stated purpose (local TTS-based news radio) mostly matches its files and instructions, but it instructs automatic downloading and execution of third‑party model code (trust_remote_code / HuggingFace/ModelScope downloads) and supports voice‑cloning — which creates a real risk of running untrusted code and privacy misuse; review providers/qwen3_tts.py and install scripts before use and run in an isolated environment.
Name and description match what the bundle contains: TTS providers, content generation, scripts to download Qwen3‑TTS models, audio management, and OpenClaw/LobsterAI integration. Requested permissions (fileSystem, network) and required binary (python3) are consistent with downloading models, saving audio, and integrating into the platform.
SKILL.md and included docs instruct the agent/operator to download large models from HuggingFace/ModelScope and run local Python code; they also recommend (in examples/docs) using trust_remote_code=True when loading models. The skill instructs reuse of a 'web-search' skill (via Python import or shell fallback) for news gathering — that increases scope and requires calling another skill. The skill also supports voice cloning from user audio samples (3s sample). These behaviors are within the stated purpose but broaden the runtime surface (network downloads, potential arbitrary code from model repos, and use of user audio), so they merit caution.
There is no formal package install spec, but the repo includes install scripts (scripts/install.sh) and instructions that will pip install requirements and run huggingface/modelscope downloads. Download sources are common (HuggingFace, ModelScope) which is expected for models, but the documentation demonstrates loading model repos with trust_remote_code (i.e., executing remote repo code). Automatic download + executing remote model code increases risk compared with pure dependency installation.
The skill does not request secrets or cloud credentials and only declares python3 and platform permissions. This is appropriate for local model use. Documentation suggests optional HF mirror endpoint (HF_ENDPOINT) and use of huggingface/modelscope CLIs — these are benign for model retrieval but could require credentials for private repos; the skill does not request them explicitly.
always:false and the skill is user-invocable; it stores models, audio, and configuration on disk (MEMORY.md / SQLite). It also includes instructions to copy into the OpenClaw workspace and restart services — expected for a skill that writes files. No evidence it modifies other skills' configs. Because it writes files and may be integrated into a user's OpenClaw workspace, install-time isolation is recommended.
Guidance
What to check before installing/using this skill: 1) Review providers/qwen3_tts.py and scripts/install.sh before running them. Look for use of trust_remote_code or any code that executes downloaded files or shells out to run remote scripts. If trust_remote_code is enabled, prefer to disable it or run in a sandbox. 2) Run the install and model download in an isolated environment (VM, container, or dedicated machine). Model downloads will fetch files from HuggingFace/ModelScope and some model repos include custom Python code that will run when loaded. 3) Inspect and consider removing or modifying automatic install scripts if you cannot fully trust them. Prefer manual model retrieval from a verified model repo and manual dependency installation. 4) Be cautious with the voice‑cloning feature: it can synthesize voices from short samples. Only supply audio you own or have permission to use. 5) Limit network and filesystem permissions where possible during testing. The skill will store models (~5GB) and generated audio; ensure you are comfortable with those writes and with the skill being added to your OpenClaw workspace. 6) If you need stronger assurance, ask the maintainer for a minimal provider implementation that loads only vetted model code (no trust_remote_code), or use a prebuilt, signed wheel/binary from a trusted source. Reason for 'suspicious': the skill is functionally coherent, but the documented pattern of downloading third‑party model repos and enabling trust_remote_code (i.e., executing remote code) raises non-trivial security and privacy concerns that require operator review and mitigation.
Latest Release
v0.1.0
lobster-radio-skill v0.1.0 - 首次发布:支持个性化资讯电台生成服务,基于本地Qwen3-TTS语音模型。 - 支持定制主题电台、每日定时推送、TTS音色配置和历史电台收听。 - 完全离线运行,无需API密钥,无额外付费。 - 适配OpenClaw与LobsterAI平台,平台LLM负责内容生成,本Skill专注TTS合成。 - Cowork模式:支持与任意主对话LLM协作,电台内容更加智能丰富。 - 不支持音乐、实时广播或视频内容。
Popular Skills
Published by @Jayden-X-L on ClawHub
