Security Audit

doubao-open-tts

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

doubao-open-tts received a trust score of 76/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 4 findings: 0 critical, 0 high, 3 medium, and 1 low severity. Key findings include Potential hardcoded secret (high entropy), Suspicious import: requests, Unpinned Python dependency version.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

86%

Dependency Graph

93%

LLM Behavioral Safety

98%

Behavioral Risk Signals

Network Access

2 findings

Excessive Permissions

1 finding

Security Findings4

Severity	Finding	Layer	Location
MEDIUM	Potential hardcoded secret (high entropy) A high-entropy string (entropy=4.69) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values.	Static	skills/xdrshjr/doubao-api-open-tts/SKILL.md:129
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/xdrshjr/doubao-api-open-tts/scripts/tts.py:15
MEDIUM	Unpinned Python dependency version Requirement 'requests>=2.28.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/xdrshjr/doubao-api-open-tts/requirements.txt:1
LOW	Missing direct dependency in requirements.txt The Python scripts `scripts/tts.py` and `scripts/test_tts.py` import and use the `dotenv` library (`from dotenv import load_dotenv`), but `python-dotenv` is not listed as a direct dependency in `requirements.txt`. This can lead to installation failures, unexpected behavior due to uncontrolled versions, or reliance on transitive dependencies. Add `python-dotenv` to `requirements.txt` with a pinned or appropriately versioned entry (e.g., `python-dotenv==1.0.0` or `python-dotenv>=1.0.0`).	LLM	requirements.txt:1

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/2271c4073cad204c.svg)](https://skillshield.io/report/2271c4073cad204c)