Skillv1.0.1

ClawScan security

salute speech · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 19, 2026, 2:19 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, environment variables, and runtime instructions are consistent with its stated purpose (using Sber Salute Speech async API to transcribe audio), but it contains a notable security tradeoff (SSL verification disabled) that you should understand before installing.
Guidance: This skill appears to do what it says: it uploads a user-supplied audio file to Sber's Salute Speech service using the API key in SALUTE_AUTH_DATA and returns transcripts. Before installing, consider the following: - Protect SALUTE_AUTH_DATA: treat it like a secret (client_id:client_secret or an authorization key). The script uses it to obtain tokens. - Transport security: the client disables SSL verification (verify_ssl=False) and suppresses warnings. That makes network traffic (including tokens and audio uploads) susceptible to interception if you are on an untrusted network. If possible, verify the certificate chain and enable SSL checks. - Logs and stdout: the script prints server responses and token info; logs may expose tokens or API responses—avoid running on shared machines or configure logging to avoid leaking secrets. - Review the full source: although endpoints used are Sber domains, review the complete script (including truncated portion if any) before use to confirm there are no unexpected remote endpoints or file operations. - For sensitive audio, consider running the client in a controlled environment or using service-provided enterprise options that meet your security requirements. If you are comfortable with the SSL tradeoff (or can change the code to enable verification), the skill is coherent and appropriate for its stated purpose.

Review Dimensions

Purpose & Capability: okName/description align with required pieces: the skill needs a Salute API credential (SALUTE_AUTH_DATA) and the 'uv' runner to execute the included Python client. Required binaries and env var map to the declared purpose.
Instruction Scope: concernRuntime instructions are narrowly scoped to reading an API credential, uploading a specified audio file, polling for results, and writing JSON/text outputs. However, the script and SKILL.md explicitly disable SSL verification by default (verify_ssl=False) and suppress warnings—this weakens transport security and risks man-in-the-middle exposure of credentials and audio. The script also prints server responses and token expiry, which could surface sensitive values in logs. Other than that, instructions do not request unrelated files or credentials.
Install Mechanism: okNo install spec — the skill is shipped as source plus SKILL.md and expects an existing 'uv' runner and the 'requests' library (SKILL.md shows how to run with --with requests). No remote downloads or archive extraction are used.
Credentials: okOnly one required environment variable (SALUTE_AUTH_DATA) is declared and used as the API credential. That is proportionate for a cloud STT integration. No unrelated secrets or config paths are requested.
Persistence & Privilege: okThe skill does not request permanent inclusion (always:false) and does not modify other skills or system-wide settings. Its privileges are limited to using the provided credential and file paths supplied at runtime.