ClawHub

salute speech

Security checks across malware telemetry and agentic risk

Overview

The skill matches its transcription purpose, but it disables SSL certificate verification by default while using your Sber credentials and uploading audio.

Only use this skill if you are comfortable sending selected audio to Sber and storing transcripts locally. Before installing, prefer a version that enables SSL verification or documents a safe Sber CA configuration, and use a dedicated revocable SALUTE_AUTH_DATA credential.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI07: Insecure Inter-Agent Communication
Medium
What this means

A network attacker or misconfigured proxy could potentially impersonate the service, observe uploaded audio, or tamper with API traffic.

Why it was flagged

The provider API upload path uses the default disabled SSL verification setting, so server identity and transport confidentiality are weakened while sending audio to the external transcription service.

Skill content
verify_ssl=False ... urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) ... requests.post(self.upload_url, headers=headers, data=audio_file, verify=self.verify_ssl)
Recommendation

Enable SSL verification by default, provide a documented CA-bundle or certificate-pinning approach for Sber, and require an explicit user opt-in for any insecure SSL bypass.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

If TLS interception occurs, the Sber credential or issued access token could be exposed or misused.

Why it was flagged

The Sber credential from SALUTE_AUTH_DATA is sent during OAuth token retrieval using the same SSL verification setting that defaults to false.

Skill content
"Authorization": f"Basic {self.auth_data}" ... requests.post(self.oauth_url, headers=headers, data=data, verify=self.verify_ssl)
Recommendation

Use a dedicated, revocable Sber credential with the minimum needed scope, and avoid running the skill unless SSL verification is enabled or properly configured.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

A future dependency change could alter behavior, although this is a common and visible setup pattern for a small Python helper.

Why it was flagged

The documented execution path relies on a runtime dependency without a pinned version or lockfile.

Skill content
uv run --with requests {baseDir}/salute_transcribe.py
Recommendation

Pin the requests version or include a lockfile/reproducible install specification.