ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fun-ASR-File

v1.1.0

阿里云百炼 FunASR 本地音频文件识别(非流式),使用阿里云 DashScope API 进行语音转文字。针对本地音频文件优化,支持自动格式转换,适合批量文件转写场景。

0· 15·0 current·0 all-time
by@chenggongdu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (local ASR via FunASR / DashScope) match the code and SKILL.md: the script calls the DashScope ASR API to transcribe local files and recommends FFmpeg for preprocessing. Functionality requested (local file transcription) is coherent with the implementation.
Instruction Scope
SKILL.md and scripts/cli.py limit actions to reading a user-supplied audio file, preprocessing instructions (FFmpeg), and sending the file to DashScope; they do not attempt to read unrelated system files. NOTES.md documents optional interaction with another skill (tikhub-douyin-media-links) for fetching media links — that implies possible cross-skill network download workflows if combined, but the skill itself does not autonomously perform such downloads.
Install Mechanism
This is instruction-only (no install spec). It requires the dashscope Python SDK and recommends FFmpeg; both are typical for this task. No suspicious external download URLs or archive extraction are present. The lack of an install spec means dependencies would be installed manually by the operator, which reduces automatic risk but requires the user to trust the dashscope package source.
!
Credentials
The SKILL.md and scripts/cli.py require DASHSCOPE_API_KEY (dashscope.api_key = os.environ.get('DASHSCOPE_API_KEY')), but the skill metadata declared no required environment variables or primary credential. That inconsistency is concerning: the runtime needs an API key but the registry entry does not advertise it. No other unrelated credentials are requested.
Persistence & Privilege
always:false and the code does not modify agent/system configuration or other skills. The skill runs only when invoked and does not request persistent elevated privileges.
What to consider before installing
Before installing or using this skill: - Expect to provide an Aliyun DashScope API key (DASHSCOPE_API_KEY). The registry metadata omitted this; verify the publisher and update metadata before trusting the skill. - Treat the API key as a secret. Use a least-privilege key and avoid pasting long-lived account keys unless you control the account and understand DashScope billing/auth. - The skill requires the dashscope Python package and FFmpeg. Install packages from trusted sources and verify dashscope's provenance (PyPI project page, source repo) before pip installing. - NOTES.md mentions integration with a 'tikhub-douyin-media-links' skill that would download media — if you plan to chain skills, be aware that downloaded content and the chain may transmit data to external services. - If you need higher assurance, request that the publisher correct the registry metadata to declare DASHSCOPE_API_KEY as a required credential and provide a homepage or source repo for review; run the skill in a sandboxed environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk9753trz9zv48jf3mf4y514f8s84gdt2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments