Safety Report

🗣️ Text-to-speech using GLM-TTS for generating audio

Name: 🗣️ Text-to-speech using GLM-TTS for generating audio
Rating: 5 (2 reviews)
Author: al-one

Text-to-speech conversion using GLM-TTS service via the `uvx zai-tts` command for generating audio from text. Use when (1) User requests audio/voice output w...

45Downloads

0Installs

2Stars

4Versions

Video & Audio6,125

Security Analysis

high confidence

Clean0.12 risk

The skill's requirements and runtime instructions are consistent with a CLI-based text-to-speech integration that needs the uvx binary and an auth token for audio.z.ai, but it asks you to extract a session token from your browser localStorage which is sensitive and worth caution.

Mar 6, 20261 files3 concerns

Purpose & Capabilityok

Name/description (GLM-TTS via uvx) match the declared requirements: uvx binary and ZAI_AUDIO_USERID / ZAI_AUDIO_TOKEN environment variables are exactly what a CLI client to audio.z.ai would need.

Instruction Scopenote

SKILL.md only instructs running the uvx CLI with arguments and how to obtain credentials. It explicitly tells users to extract auth info from browser localStorage (JSON.parse(localStorage['auth-storage']).state.token), which is sensitive but directly related to authenticating to audio.z.ai; the instructions do not attempt to read other system files or unrelated credentials.

Install Mechanismnote

Install spec uses common package managers (brew or pip) for a package named 'uv' that provides uvx. Having both brew and pip installers is redundant but not inherently risky; no arbitrary download URLs or extracted archives are present.

Credentialsnote

Only two env vars (userId and token) are required, and the token is the primary credential — appropriate for a remote TTS service. However the recommended method to obtain them (copying a session token from localStorage) can encourage insecure handling of session tokens and may expose long-lived credentials if not managed carefully.

Persistence & Privilegeok

Skill does not request always:true, does not declare config paths, and does not modify other skills; autonomous invocation is default but not excessive for this type of integration.

Guidance

This skill is coherent for using audio.z.ai via the uvx CLI, but be careful with the auth token. The SKILL.md asks you to copy a token from browser localStorage — treat that token like a password: don't paste it into public places, prefer creating a scoped API key if the service provides one, and store it in a secure credential store rather than a plain environment file if possible. Before installing, verify the source of the 'uv' package (brew/pypi) to ensure you're installing the intended uvx client. If you are uncomfortable extracting session tokens from your browser, contact the service to get an official API token or use an alternative TTS provider with clearer API key support.

Latest Release

v1.0.3

- Added skill homepage link for easier access to documentation. - Usage section now shows support for inputting text from files with the `-f` option.

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @al-one on ClawHub