Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Voice-to-Protocol Transcriber
v1.0.0Record experimental procedures and observations via voice commands during lab work. Real-time transcription for structured experiment documentation.
⭐ 0· 25·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and included code implement a local transcription/recording tool that saves experiment notes to user files—this aligns with the stated purpose. However, SKILL.md recommends installing speechrecognition/pyaudio/pydub/python-docx, while requirements.txt only lists dataclasses/enum/wave (standard or unrelated libs). The mismatch between documented dependencies and requirements.txt is unexpected and may indicate sloppy packaging or omitted runtime dependencies.
Instruction Scope
The runtime instructions and code focus on local recording, CLI usage, and a config file under ~/.openclaw/config — all within expected scope. But SKILL.md asserts 'No external API calls' in the risk table while also advising that 'Chinese recognition requires good network connection' and listing speechrecognition as a dependency (which may use online recognition backends by default). This contradiction is concerning because networked speech recognition could send audio off-host; the truncated portion of the code may contain recognizer selection or network calls that are not visible in the provided snippet.
Install Mechanism
No formal install spec is present (instruction-only), which minimizes automatic disk writes, but SKILL.md recommends pip installing third-party audio and speech libraries. That is a common approach but the actual requirements.txt omits those packages. The lack of a packaged install spec combined with inconsistent dependency declarations increases the chance a user will manually install/compile system-level audio components (e.g., PortAudio) without guidance.
Credentials
The skill declares no environment variables, no credentials, and no access to other skills' configs. File writes are limited to a user directory (~/Documents/Experiment-Protocols or ~/.openclaw/config), which is proportionate to the stated purpose. There are no declared secrets requested.
Persistence & Privilege
The skill is not always-on and does not request elevated/always-installed privileges. It reads/writes its own config under ~/.openclaw and writes output files to the user's Documents directory—behavior consistent with a local utility.
What to consider before installing
Before installing or running this skill: 1) Inspect the rest of scripts/main.py (the file was truncated) to confirm there are no network calls or hidden endpoints (look for requests, urllib, socket, speech recognizer choice). 2) Reconcile dependencies: SKILL.md lists speechrecognition/pyaudio/pydub/python-docx but requirements.txt does not—ensure you install only trusted packages and prefer pinned versions. 3) Verify whether the speech recognition backend is local (e.g., VOSK) or cloud-based (Google, Azure, etc.); avoid sending sensitive audio to external services if experiment details are confidential. 4) Run initially in a sandboxed account or VM and with a test microphone to validate behavior; check saved files for unexpected content or exfiltration. 5) Confirm safe file paths (no directory-traversal vulnerabilities), and review how experiment_name is used to build filenames to avoid injection into paths. 6) If you need stronger assurance, ask the author for the missing packaging info or a signed release, or request that the maintainer include an explicit option to use an offline recognizer and to disable any network calls.Like a lobster shell, security has layers — review code before you run it.
latestvk97ca39y04bs2yz5jq1683geqn8429mm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.