ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Meeting Transcriber

v1.0.0

基于FunASR实现的中文实时会议语音转录,支持自动标点、转录保存、环境检测和文件管理。

0· 28·0 current·0 all-time
by@chinapjs·duplicate of @chinapjs/meeting-transcriber
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to provide an OpenClaw meeting transcriber, which matches the code, but the package is not self-contained: meta.json and the scripts expect a specific Windows/Conda setup and external files at D:\dev\python\voiceFunAsr (vocie_mic_fixed_gbk.py, meeting_records, etc.). The manifest given to you earlier stated no required binaries/env, but _meta.json lists required binaries ('python','conda') and external file paths. Requiring and invoking files outside the skill bundle (hard-coded D:\ and C:\Users\pengjschina paths) is disproportionate to a self-contained skill and is inconsistent with the declared requirements.
!
Instruction Scope
SKILL.md and the shipped scripts instruct the agent/user to read and create files in specific system locations (D:\dev\python\voiceFunAsr, C:\Users\pengjschina\.cache, and the user's home .openclaw directory), run conda commands, and possibly download models automatically. The instructions direct editing/writing of SKILL.md and create batch scripts; they rely on or manipulate files that are outside the skill's own files. This is broader than simply 'transcribe audio' and grants the skill filesystem and execution scope beyond a minimal transcriber.
Install Mechanism
There is no declared install spec (instruction-only), which reduces upfront install risk, but the included scripts (conda_setup.py, transcriber.py, openclaw_wrapper.py) will run subprocesses that can install packages, create files, and execute external scripts when invoked. No remote arbitrary archive downloads are present in the package, but runtime behavior may cause network model downloads (modelscope) and conda/pip installs.
!
Credentials
The skill requests no explicit environment variables or credentials, but it hard-codes and expects access to specific system locations (D:\ dev paths and a specific user cache at C:\Users\pengjschina). It also requires Conda and a particular conda env ('audioProject'). Requiring access to and modifying files in those user/system paths (including writing a config to ~/.openclaw) is not proportionate unless the user actually intends to integrate with that existing project layout.
Persistence & Privilege
always:false (good). The skill will write files under its directory and create a config file under the user's home (~/.openclaw), plus batch scripts (start_with_conda.bat / start_meeting.bat). The conda_setup.py includes logic to update SKILL.md and possibly insert code into a 'meeting_minutes.py' — modifying files in the skill directory is normal, but modifying other code files (if present) or writing to the user's config should be noted and approved by the user.
What to consider before installing
This skill is plausible for local Windows/Conda use, but there are red flags you should check before using it: - Inconsistency: the top-level metadata stated no required binaries, but _meta.json and the scripts expect 'python' and 'conda' and a Conda env named 'audioProject'. Decide whether you run this on Windows with Conda. - External dependencies: the core transcriber logic it tries to run (vocie_mic_fixed_gbk.py and other files) is expected at D:\dev\python\voiceFunAsr but those files are not included. Inspect or provide that project directory yourself; the skill will fail or may run unexpected code if those files differ. - Hard-coded paths: the scripts reference C:\Users\pengjschina and D:\ paths. If you run this on your machine those paths will differ; the scripts may create or modify files in your home directory (~/.openclaw) and in the working_directory. Back up anything important first. - Runtime actions: running the provided setup scripts will call conda/pip, create batch scripts, and may download ASR models from the network. Review conda_setup.py and the external transcriber scripts (vocie_mic_*) before running them, ideally in an isolated environment (VM or disposable account). - If you want to proceed: ensure you understand and control the external project files it depends on, run the environment checks manually, and consider running the code in a contained Windows/Conda environment to limit unintended filesystem/network effects. If you are unsure, do not run the setup/start commands until you verify the referenced project files and model download sources.

Like a lobster shell, security has layers — review code before you run it.

latestvk970rjzkdhjfr44cgbp73edqwn842qsg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments