ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TencentCloud ASR

v0.1.5

腾讯云语音识别 ASR Skill,适用于语音转文字、音频转写、字幕生成、会议转录、语音消息识别、 本地文件或 URL 音频识别。包含三种模式:一句话识别(<=60s 短音频)、录音识别极速版 (<=2h/100MB 中长音频快速同步返回)、录音识别(<=5h 长音频异步识别)。支持普通话、 英语、粤语、日语、韩...

5· 1.4k·17 current·17 all-time
by@stardusten

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for stardusten/tencentcloud-asr.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "TencentCloud ASR" (stardusten/tencentcloud-asr) from ClawHub.
Skill page: https://clawhub.ai/stardusten/tencentcloud-asr
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install stardusten/tencentcloud-asr

ClawHub CLI

Package manager switcher

npx clawhub@latest install tencentcloud-asr
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill name, docs, and scripts all implement Tencent Cloud ASR functionality (sentence/flash/file modes) — that is coherent. However, the registry metadata declares no required environment variables or primary credential while the scripts and references explicitly require TENCENTCLOUD_SECRET_ID/TENCENTCLOUD_SECRET_KEY (and sometimes TENCENTCLOUD_APPID). This metadata omission is an incoherence that could mislead users about secrets the skill needs.
!
Instruction Scope
SKILL.md instructs the agent to run local scripts (inspect_audio.py, ensure_ffmpeg.py, self_check.py, and the various recognizers). The docs also include integration guidance that accesses system paths (e.g., /home/admin/.openclaw/qqbot/downloads for QQ Bot integration) and recommend accepting/processing user-provided credentials. The skill explicitly permits autonomous installation of system components (ffmpeg/ffprobe) and running pip installs; these behaviors go beyond purely analyzing an uploaded audio file and require careful user consent.
!
Install Mechanism
There is no static install spec in registry metadata (instruction-only), but scripts perform dynamic installs at runtime: ensure_ffmpeg.py drives system package managers (apt/dnf/yum/zypper/brew/winget/choco) and may run sudo, and file_recognize.py auto-installs the tencentcloud SDK via pip. ensure_ffmpeg.py also contains logic to fetch rpmfusion rpms via a mirror URL as a repo fallback. These dynamic install actions modify the host and involve network downloads — expected for full ASR functionality but higher-risk than pure instruction-only skills and not reflected in metadata.
!
Credentials
The skill requires Tencent Cloud credentials (SecretId/SecretKey) and optionally AppId, documented across references and enforced by scripts (require_credentials, get_credentials). The registry metadata reported 'Required env vars: none' and 'Primary credential: none', which is contradictory. The skill also references TENCENTCLOUD_TOKEN optionally. Asking for these secrets is proportional to the service, but the metadata omission and the skill's guidance around receiving credentials via chat (even while warning about risks) are notable issues for users with limited security awareness.
!
Persistence & Privilege
The skill is not marked always:true, and does not request persistent platform privileges. However, runtime behavior includes: attempting to install system packages (possibly with sudo), adding repos (rpmfusion fallback), and installing pip packages — all of which can alter the host system. The skill also contains guidance for integrating with host systems (OpenClaw/QQ Bot) that accesses host paths. That level of side-effecting system access is significant and should be explicitly consented to by the user/environment operator.
What to consider before installing
Plain-language considerations before installing or using this skill: - The skill actually needs your Tencent Cloud credentials (TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY, and sometimes TENCENTCLOUD_APPID) even though the registry metadata says none — do not paste secrets into group chat; prefer configuring them locally or providing them only in a secure, private channel. - At runtime the skill may auto-install software: it can call system package managers (apt/dnf/yum/zypper/brew/winget/choco, possibly with sudo) to install ffmpeg/ffprobe and will pip-install the tencentcloud SDK. That means it can modify the host system and requires network access. Only run it on machines where you accept those changes (e.g., disposable VM, container, or developer machine), or inspect and run the scripts manually yourself. - The code references and may read host file paths (e.g., QQ Bot downloads directory) for integrations — if you don't want that, don't enable the QQ Bot integration or run the skill in an isolated environment. - The SKILL.md includes helpful security guidance (prefer temporary env injection, don't write keys to shell profiles), but some reference docs also show how to persist keys. Decide your preferred credential handling policy and enforce it (temporary env vs. persistent profile). - If you are not comfortable with automated package installs, review the scripts (ensure_ffmpeg.py, file_recognize.py, etc.) and run them manually under supervision, or set up ffmpeg and the Python SDK yourself before invoking the skill. What would increase my confidence: updated registry metadata that correctly lists required environment variables/primary credential and an explicit install manifest or an option to disable autonomous installation. If those aren’t provided, treat this skill as requiring elevated trust and run it only in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

asrvk973593verfeqqvf4px57y1c1982qr9nchinesevk973593verfeqqvf4px57y1c1982qr9ndoubaovk973593verfeqqvf4px57y1c1982qr9nenglishvk973593verfeqqvf4px57y1c1982qr9nfeishuvk973593verfeqqvf4px57y1c1982qr9nlatestvk973593verfeqqvf4px57y1c1982qr9nqqvk973593verfeqqvf4px57y1c1982qr9ntencentvk973593verfeqqvf4px57y1c1982qr9ntencentcloudvk97cm9a2f38atfx9jpzmmkmhq982h9bmvoicevk973593verfeqqvf4px57y1c1982qr9nwechatvk973593verfeqqvf4px57y1c1982qr9n
1.4kdownloads
5stars
5versions
Updated 21h ago
v0.1.5
MIT-0
@stardusten
asrchinesedoubaoenglishfeishulatestqqtencenttencentcloudvoicewechat
Download

腾讯云语音识别 Skill

腾讯云语音识别(ASR),微信同款ASR引擎,历经亿级用户场景验证,稳定可靠。在中英混说场景下识别效果行业领先,精准流畅。支持普通话、方言及多语种识别,提供一句话识别、录音识别等全场景能力,是高性价比语音转文字首选。

核心执行流

  1. 用户给音频要转文字
    • 先跑 inspect_audio.py
    • 再按时长、大小、URL/本地路径选择 sentence_recognize.pyflash_recognize.pyfile_recognize.py
  2. 用户刚提供了新的腾讯云凭证
    • 优先直接跑 self_check.py
    • 自检结果通过后再进入真实识别
  3. 用户问安装、开通、手工配置、FFmpeg、CLI backend
    • 不要把细节塞回主流程,按文末 reference map 读取对应文档

下一步

  • 想接入宿主系统体验自动转写
    • 普通场景:配置 CLI transcription backend
    • QQ Bot 1.5.4:可直接走适配方案,不必依赖默认 CLI transcription 才能识别语音
  • 想直接体验识别能力
    • 让用户直接丢一个音频文件或公网链接
    • 然后继续帮用户做转文字、摘要总结、问题排查、重点提取

必须遵守的规则

  • ⚠️禁止用模型自身能力替代 ASR⚠️:脚本失败时,必须返回错误,不得猜测转写内容。
  • 先探测后识别:统一先执行 python3 <SKILL_DIR>/scripts/inspect_audio.py "<AUDIO_INPUT>"
  • ffmpeg / ffprobe 先自治安装:先执行 python3 <SKILL_DIR>/scripts/ensure_ffmpeg.py --execute,只有失败后才向用户求助。
  • 收到新凭证先自检:默认跑 python3 <SKILL_DIR>/scripts/self_check.py,不要先让用户手工试脚本。
  • 默认少打断:除非用户必须补充凭证、明确要求手工配置,或语种/引擎确实不确定,否则不要无意义来回确认。
  • 密钥安全优先
    • 群聊:禁止让用户直接发 SecretIdSecretKeyAppId
    • 私聊:也要先提醒“密钥会经过 LLM,存在泄漏风险”
  • 单次任务优先当前命令注入:不要为了跑一次识别去写 ~/.bashrc~/.zshrc
  • 不要把密钥写进工作区
  • 极速版失败时保留“可能”表述:如果自检里一句话识别和录音文件识别通过、只有极速版失败,应提示“常见于国际站账号,或国内站账号在海外访问时受限”,但不要写成绝对结论。

引擎选择 Cheatsheet

对话语言只能当作先验,不等于音频语种本身。若用户音频语种明显不同,按音频语种改。

场景一句话识别极速版录音文件识别备注
普通话16k_zh16k_zh / 16k_zh_large16k_zh / 16k_zh_large默认首选
中英夹杂16k_zh-PY16k_zh_en16k_zh_en混说优先
粤语16k_yue16k_yue16k_yue
英语16k_en16k_en16k_en / 16k_en_large
日语16k_ja16k_ja16k_ja
韩语16k_ko16k_ko16k_ko
多语种 / 语言不确定指定具体语种16k_multi_lang16k_multi_lang一句话识别没有多语自动识别引擎

如果有多个明显可选项:

  • 给出推荐项
  • 用一句话说清优缺点
  • 再征询用户是否切换

路由速记

本地文件

  • 先规范化为 16kHz、单声道、pcm_s16le.wav
  • <=60s<=3MBsentence_recognize.py
  • <=2h<=100MB:优先 flash_recognize.py
  • 更大文件:优先切片后逐片走 Flash;若已有 COS / 公网 URL 且最终 <=5h,可走 file_recognize.py rec

公网 URL

  • 默认直接走 file_recognize.py rec
  • 不要先本地下载、探测、转码再路由
  • 只有 file_recognize.py rec 真实失败时,再按错误决定是否进入本地下载 / 规范化 / 切片链
  • 如果用户明确要求同步立即返回,才把一句话识别当作显式特例,而不是默认路径

命中 URL、大文件、切片、body vs URL 取舍时,再读 routing_strategy.md

最小脚本示例

# 预检
python3 <SKILL_DIR>/scripts/inspect_audio.py "<AUDIO_INPUT>"

# 凭证自检
python3 <SKILL_DIR>/scripts/self_check.py

# 一句话识别
python3 <SKILL_DIR>/scripts/sentence_recognize.py "<AUDIO_INPUT>" --engine 16k_zh

# 极速版
python3 <SKILL_DIR>/scripts/flash_recognize.py "<AUDIO_INPUT>" --engine 16k_zh

# 录音文件识别
python3 <SKILL_DIR>/scripts/file_recognize.py rec "<AUDIO_INPUT_OR_URL>" --engine 16k_zh

# CLI transcription backend
python3 <SKILL_DIR>/scripts/cli_transcribe.py "<MEDIA_PATH_OR_URL>"

何时继续读 references

核心脚本清单

  • scripts/inspect_audio.py:音频探测
  • scripts/ensure_ffmpeg.py:自治安装 ffmpeg / ffprobe
  • scripts/self_check.py:凭证与三种模式自检
  • scripts/sentence_recognize.py:一句话识别
  • scripts/flash_recognize.py:录音文件识别极速版
  • scripts/file_recognize.py:录音文件识别异步任务
  • scripts/cli_transcribe.py:CLI backend wrapper

Comments

Loading comments...