Skillv0.1.1

ClawScan security

Speechall command-line tool for fast speech-to-text transcription using multiple providers · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:16 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions and purpose are generally coherent for a CLI wrapper around an external Speechall service, but the runtime instructions require an API key and reference external download/homebrew taps while the skill metadata does not declare any required credentials or a homepage — this metadata/instructions mismatch and the unknown source warrant caution.
Guidance: Things to check before installing or using this skill: - The SKILL.md expects you to provide SPEECHALL_API_KEY, but the skill metadata doesn't list any required credential — treat that as an omission and assume the API key is required. Confirm where you will get the key (speechall.com) and whether you trust that service. - Verify the Homebrew tap and GitHub release URLs referenced in the instructions (Speechall/tap and github.com/Speechall/speechall-cli) before running brew install or downloading binaries. Prefer officially signed releases. - Because the skill communicates with an external transcription service, be cautious about uploading sensitive audio. Review the Speechall service's privacy, retention, and billing policies before sending private data. - Ask the skill publisher to update the registry metadata to declare SPEECHALL_API_KEY as a required credential and to provide a homepage/source link. If you must proceed, create a scoped API key with minimal permissions and be prepared to rotate it if you stop using the service. - If you want higher assurance, test the CLI in an isolated environment (VM or sandbox) and inspect network activity when you first run it.

Review Dimensions

Purpose & Capability: okThe name/description match the SKILL.md: it documents installing and using a speechall CLI to transcribe audio via the Speechall API and lists sensible commands and options (transcribe, models, diarization, output formats). The claimed multi-provider support is plausible for a single aggregator API.
Instruction Scope: noteThe SKILL.md stays within the stated purpose: it only instructs how to install the CLI, set an API key, and run transcription/model-listing commands. It references external endpoints (speechall.com console and GitHub releases) which is expected, but the instructions explicitly require an API key (SPEECHALL_API_KEY) even though the skill metadata did not declare any required env vars — see environment_proportionality.
Install Mechanism: okThere is no install spec in the registry (instruction-only), and the SKILL.md suggests installing via Homebrew or downloading GitHub releases. Those are standard distribution channels; nothing in the instructions calls out obscure or shortener URLs or archive extraction behavior. However, there is no published homepage/source in the metadata to verify the tap or GitHub repo beyond the URLs in the instructions.
Credentials: concernThe SKILL.md requires an API key supplied via SPEECHALL_API_KEY or a flag and points users to speechall.com to create keys, yet the registry metadata lists no required env vars/primary credential. That mismatch is an incoherence: the skill effectively needs a sensitive credential but does not declare it. Also the skill references external provider names (OpenAI, Deepgram, Google, etc.) which might imply additional credentials in some setups — the instructions do not require these, which is plausible but should be explicit.
Persistence & Privilege: okThe skill does not request always:true, does not include an install spec that writes to disk via the registry, and does not ask to modify other skills or system config. It only instructs the agent/user to install a CLI locally, so no elevated persistent privileges are requested by the skill itself.