Local text-to-speech using Qwen3-TTS-12Hz-1.7B-CustomVoice. Use when generating audio from text, creating voice messages, or when TTS is requested. Supports 10 languages including Italian, 9 premium speaker voices, and instruction-based voice control (emotion, tone, style). Alternative to cloud-based TTS services like ElevenLabs. Runs entirely offline after initial model download.
Security Analysis
medium confidenceThe skill largely does what it says (local/offline TTS) but contains a few incoherences and risky choices — notably an unauthenticated HTTP server that is suggested to bind to 0.0.0.0/autostart and a minor client/server parameter mismatch — so review before installing or exposing it.
The files and scripts match the stated purpose (local Qwen3 TTS with optional remote server and voice-design helpers). Including server.py, tts.py, and voice-design client is consistent with a TTS skill that can run locally or talk to a local remote server. Minor note: the repo relies on an external PyPI package 'qwen-tts' (installed by setup.sh) whose provenance isn't documented in SKILL.md/README — this is plausible but should be verified.
Runtime instructions and shipped files instruct creating a venv and installing packages and describe running an HTTP API server bound by default to 0.0.0.0 with no authentication. The skill's docs and MAC_SERVER.md explicitly recommend binding to all interfaces and provide an autostart plist. That expands scope from local-only to a network service accessible to the LAN (or wider if the host is reachable). Also tts-voicedesign.py posts a 'voice_description' field but the included server's /tts endpoint expects 'speaker'/'instruct' — a functional mismatch between client and shipped server (sloppy engineering) that may cause runtime errors or lead maintainers to substitute a different remote endpoint.
There is no registry install spec; installation is done by the included scripts/setup.sh which runs pip install qwen-tts soundfile. This is low-to-moderate risk compared to arbitrary downloads, but the origin of the 'qwen-tts' package is not documented (PyPI vs private index). The model download is from Hugging Face (documented), which is expected but is a large automatic download (~1.7GB). No URL-shorteners or unknown binary downloads are used in the scripts themselves.
The skill does not require secrets or credentials. It references environment variables (QWEN_TTS_REMOTE, QWEN_TTS_SPEAKER, QWEN_TTS_LANGUAGE) for convenience but the registry metadata lists no required env vars or primary credential — that is proportionate. Minor inconsistency: SKILL.md and scripts reference those env vars but they are not declared in the skill metadata; nothing sensitive is requested.
The skill does not set always:true nor does it demand platform privileges, but docs strongly recommend running the server as a background service/autostart (launchd plist) and bind to 0.0.0.0. Running an unauthenticated TTS HTTP server that auto-loads large models and stays resident increases risk (exposure, resource use). This is optional but explicitly documented — be cautious before enabling autostart or opening the port to networks.
Guidance
What to check before installing/use: 1) Network exposure: The package includes a FastAPI server that by default binds to 0.0.0.0 and has no authentication. If you run it, avoid binding to all interfaces or enable firewall rules and authentication. Do not expose the port to the public internet. 2) Service autostart: The README/MAC_SERVER.md show a launchd plist for autostart. Only enable autostart if you understand the server will run continuously and consume memory and potentially GPU/CPU. 3) Package provenance: setup.sh installs a PyPI package named 'qwen-tts'. Confirm where that package comes from (PyPI project page / git repo) before installing into any non-isolated environment. 4) Model download and license: The first run auto-downloads a ~1.7GB model from Hugging Face. Confirm the model card/license and be prepared for large disk and network usage. Consider mirrors only if you trust them. 5) Client/server mismatch: tts-voicedesign.py sends a 'voice_description' field that the included server does not accept — expect some of the provided client scripts to be incompatible with the bundled server or to require a different remote endpoint. 6) Run in isolation: Install and test inside an isolated VM/container or dedicated machine user account (so the large model, unknown package, and any network exposure are confined). Inspect the installed 'qwen-tts' package contents before trusting it. 7) Hardening: If you need remote access, put the server behind an authenticated proxy, require network-level restrictions (localhost-only or VPN), and monitor process resource usage. If you want, I can: (a) list exact lines that cause the network exposure risk, (b) help craft a minimal launch command that binds to localhost only, or (c) attempt to locate the 'qwen-tts' package origin if you provide internet access permission.
Latest Release
v1.0.0
Initial release of qwen-tts v1.0.0: - Adds offline local text-to-speech using Qwen3-TTS-12Hz-1.7B-CustomVoice. - Supports 10 languages, including Italian, with 9 premium speaker voices. - Instruction-based voice control: adjust emotion, tone, and style from the command line. - Provides easy setup and quick command-line usage; outputs standard WAV files. - Integrates with OpenClaw and alternatives to cloud-based TTS (like ElevenLabs).
Popular Skills
Published by @paki81 on ClawHub
