salute speech
WarnAudited by ClawScan on May 10, 2026.
Overview
This transcription skill matches its stated purpose, but it sends your API credential and audio to Sber with SSL certificate checks disabled by default.
Install only if you are comfortable uploading the selected audio files to Sber Salute Speech. The main issue to review is that SSL verification is disabled by default; prefer a fixed version that verifies or pins certificates before using it with sensitive audio or credentials.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker, proxy, or misconfigured network path could impersonate the API endpoint or inspect/alter credentials, uploaded audio, or transcript data.
The client defaults certificate verification off and uses that setting for credential-bearing OAuth requests; the same verify setting is also used for API upload/recognition calls in the provided code.
verify_ssl=False ... "Authorization": f"Basic {self.auth_data}" ... requests.post(self.oauth_url, headers=headers, data=data, verify=self.verify_ssl)Enable SSL verification by default, document how to install or pin Sber's certificate chain if needed, and only use this skill on trusted networks until transport verification is fixed.
The skill can use the configured Sber credential to create transcription jobs and may consume account quota or incur provider-side usage.
The skill requires a Sber API credential. That is expected for the stated transcription service, but it grants access to the user's Salute Speech account/quota.
**API Key**: Environment variable `SALUTE_AUTH_DATA` must be set (Base64-encoded `client_id:client_secret` or raw authorization key
Use a least-privileged Salute Speech credential where possible, keep it in the environment rather than hardcoding it, and rotate it if you used the skill over an untrusted network.
A future dependency-resolution change could run a different package version than the author tested.
The documented runtime command resolves the `requests` dependency without a version pin or lockfile. This is common for small scripts but leaves dependency provenance less controlled.
uv run --with requests {baseDir}/salute_transcribe.pyPin dependency versions or provide a lockfile/install spec for reproducible execution.