ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

salute speech

v1.0.1

Transcribe audio files using Sber Salute Speech async API. Russian-first STT with support for ru-RU, en-US, kk-KZ, ky-KG, uz-UZ.

0· 573·0 current·0 all-time
by@chorus12
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description align with required pieces: the skill needs a Salute API credential (SALUTE_AUTH_DATA) and the 'uv' runner to execute the included Python client. Required binaries and env var map to the declared purpose.
!
Instruction Scope
Runtime instructions are narrowly scoped to reading an API credential, uploading a specified audio file, polling for results, and writing JSON/text outputs. However, the script and SKILL.md explicitly disable SSL verification by default (verify_ssl=False) and suppress warnings—this weakens transport security and risks man-in-the-middle exposure of credentials and audio. The script also prints server responses and token expiry, which could surface sensitive values in logs. Other than that, instructions do not request unrelated files or credentials.
Install Mechanism
No install spec — the skill is shipped as source plus SKILL.md and expects an existing 'uv' runner and the 'requests' library (SKILL.md shows how to run with --with requests). No remote downloads or archive extraction are used.
Credentials
Only one required environment variable (SALUTE_AUTH_DATA) is declared and used as the API credential. That is proportionate for a cloud STT integration. No unrelated secrets or config paths are requested.
Persistence & Privilege
The skill does not request permanent inclusion (always:false) and does not modify other skills or system-wide settings. Its privileges are limited to using the provided credential and file paths supplied at runtime.
Assessment
This skill appears to do what it says: it uploads a user-supplied audio file to Sber's Salute Speech service using the API key in SALUTE_AUTH_DATA and returns transcripts. Before installing, consider the following: - Protect SALUTE_AUTH_DATA: treat it like a secret (client_id:client_secret or an authorization key). The script uses it to obtain tokens. - Transport security: the client disables SSL verification (verify_ssl=False) and suppresses warnings. That makes network traffic (including tokens and audio uploads) susceptible to interception if you are on an untrusted network. If possible, verify the certificate chain and enable SSL checks. - Logs and stdout: the script prints server responses and token info; logs may expose tokens or API responses—avoid running on shared machines or configure logging to avoid leaking secrets. - Review the full source: although endpoints used are Sber domains, review the complete script (including truncated portion if any) before use to confirm there are no unexpected remote endpoints or file operations. - For sensitive audio, consider running the client in a controlled environment or using service-provided enterprise options that meet your security requirements. If you are comfortable with the SSL tradeoff (or can change the code to enable verification), the skill is coherent and appropriate for its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk973sb3pe0k0c6m5nfe8696j3s81e1hg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsuv
EnvSALUTE_AUTH_DATA
Primary envSALUTE_AUTH_DATA

Comments