🎤 Transcribe audio files using Qwen ASR. 千问STT

ReviewAudited by ClawScan on May 10, 2026.

Overview

This appears to be a straightforward transcription tool, but it uploads the chosen audio to a Qwen demo service and may print the uploaded-audio link.

This skill is reasonable for ordinary transcription tasks. Before installing, understand that it sends the selected audio to a third-party Qwen demo endpoint and may print the uploaded-audio URL in logs. Avoid using it for recordings containing highly sensitive personal, business, or confidential information unless you are comfortable with that external processing.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

Private or sensitive recordings may be shared with the external demo service during transcription.

Why it was flagged

The selected audio bytes are uploaded to a remote Qwen demo service for transcription. This is purpose-aligned, but it means the audio leaves the user's environment.

Skill content

BASE_URL = "https://qwen-qwen3-asr-demo.ms.show" ... form.add_field("files", file, filename="audio") ... res = await api_request("/gradio_api/upload", data=form)

Recommendation

Use this only for audio you are comfortable sending to that service; use a local ASR tool for highly sensitive recordings.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Anyone who can see the logs or tool output may see a link associated with the uploaded audio.

Why it was flagged

After upload, the script logs the remote audio URL, which may appear in local logs or tool output.

Skill content

_LOGGER.warning("Audio file: %s", audio_url)

Recommendation

Avoid sharing logs from transcription runs, and consider redacting or removing this logging if maintaining the skill.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Future package changes or package-index issues could affect what code is installed to run the skill.

Why it was flagged

The uv script declares Python dependencies without pinned versions, so runtime/install behavior depends on external package resolution.

Skill content

# dependencies = ["aiohttp", "argparse", "gradio_client"]

Recommendation

Prefer pinned versions or a lockfile for reproducible installs, especially in sensitive environments.