Windows TTS (WSL2) — 技能工具
v1.1.1在 Windows 11 上"直接发声"的 TTS(从 WSL2/TUI 调用 powershell.exe + System.Speech)。适用于用户说"说出来/读出来/语音播报/用TTS",或反馈"没声音/tts 生成的 mp3 是空的/播不出来",以及需要中文语音但 OpenClaw 内置 tts 不可用时。
0· 736·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
high confidenceThe skill does what it says (invoke Windows TTS from WSL) but the provided scripts insert untrusted text into a double‑quoted PowerShell string without sufficient escaping, allowing PowerShell interpolation/subexpression injection and arbitrary code execution on the Windows host.
评估建议
This skill is coherent and will play speech through Windows as advertised, but it currently treats the text you ask it to speak as a PowerShell double‑quoted string and does not neutralize PowerShell variable or subexpression syntax. That means a crafted message (e.g., containing $env:..., $(...), etc.) could cause PowerShell to evaluate code on your Windows host. Before installing/use: (1) Only run this skill in trusted environments and avoid feeding untrusted text to it. (2) Prefer a patched v...详细分析 ▾
✓ 用途与能力
Name, description, SKILL.md and the two scripts all consistently implement 'call Windows System.Speech from WSL' to play audio on the Windows default device. The functionality and required actions are proportional to the stated purpose.
⚠ 指令范围
The runtime instructions and scripts execute powershell.exe on the Windows host (expected for this skill). However, user-provided TEXT is embedded into a PowerShell double‑quoted string (\$s.Speak("$TEXT_ESC");) without escaping PowerShell variable/subexpression syntax ($, $(), ${}, etc.). That allows an input containing $var or $(...) to be interpreted by PowerShell and run arbitrary code on Windows. The SKILL.md mentions escaping $ to avoid bash expansion (a different issue) but does not warn about or mitigate PowerShell interpolation risk.
✓ 安装机制
No install spec or external downloads; the skill is instruction + small scripts only. That is low-risk from install/source code perspective.
ℹ 凭证需求
The skill declares no env/credentials (correct). It implicitly requires a WSL environment with access to powershell.exe (i.e., Windows host), which the SKILL.md documents, but the registry metadata does not list an OS restriction—minor mismatch to be aware of.
✓ 持久化与权限
always:false and no persistent installation or cross-skill config changes. The skill runs commands at invocation only; autonomous invocation remains platform default and is not by itself a new risk here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.12026/2/14
Fix say.sh to be standalone (remove dependency on deleted saycn.sh); keep voice/rate/volume support
● 可疑
安装命令 点击复制
官方npx clawhub@latest install windows-tts-wsl2
镜像加速npx clawhub@latest install windows-tts-wsl2 --registry https://cn.clawhub-mirror.com
技能文档
Use Windows built-in TTS via powershell.exe so audio plays through the Windows 默认输出设备(无需 WSLg/PulseAudio)。
什么时候用这个 skill(触发提示)
当用户出现以下表达时,优先用本 skill,而不是 OpenClaw 内置 tts(后者可能生成空 mp3 或在某些环境无声):
- "说出来 / 读出来 / 念一下 / 语音播报 / 用 TTS"
- "还没声音 / 没声音 / 播不出来"
- "中文语音"且希望直接从电脑扬声器播放
注意:本 skill 是"直接播放",不会返回音频文件路径。
Quick start(直接说出来)
Run from WSL:
bash {baseDir}/scripts/say.sh "你好,我是你的助手。"
List installed voices
bash {baseDir}/scripts/list_voices.sh
Speak with a specific voice
bash {baseDir}/scripts/say.sh --voice "VOICE_NAME" "你好,我以后会用这个声音说话。"
Notes
- If you embed PowerShell directly in bash, remember: escape
$or use outer single quotes; otherwise bash expands$sand breaks the command. - If the user reports errors like
=New-ObjectorTypeName:prompts, prefer the provided scripts instead of ad-hoc quoting.
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制