Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Qqbot Voice Transcribe
v1.0.0QQ Bot 语音消息自动识别 v2.0。自动解码 QQ Silk V3 格式,Whisper medium 模型识别,Gateway 集成,用户确认流程。
⭐ 0· 30·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (QQ Silk V3 → Whisper transcription) matches the requirements and code: ffmpeg, whisper CLI, silk-v3-decoder, and Python scripts are all reasonable and expected for this task.
Instruction Scope
Runtime instructions and code perform local file transforms (remove first byte, run silk-v3-decoder, convert with ffmpeg, run whisper) and integrate into a Gateway example. This is within the stated scope, but the instructions also recommend system changes (installing packages, creating a 4GB swap, editing /etc/fstab) and run shell commands (exec/promisified exec); review and apply with care.
Install Mechanism
The skill is instruction-only (no package install spec). It instructs cloning a GitHub repo (https://github.com/kn007/silk-v3-decoder) and installing Whisper via pip — a typical, low-to-moderate-risk pattern. Because the decoder (converter.sh, decoder binary) will be executed, you should vet that third‑party repo before running.
Credentials
No secrets or unrelated environment variables are requested. Declared binaries and optional env vars (WHISPER_MODEL, SILK_DECODER_PATH) are proportional to transcription functionality.
Persistence & Privilege
Skill does not request always:true and does not persist or modify other skills. However, following the README may require privileged/system changes (installing packages, creating /swapfile and writing to /etc/fstab) which require root and have system-wide effect — this is operational, not malicious, but deserves caution.
Assessment
This skill appears to do what it says: decode QQ Silk V3 files and transcribe them with Whisper. Before installing or running it: (1) review the silk-v3-decoder repository (converter.sh/decoder) before executing it locally, (2) be prepared to install system packages (ffmpeg, python/pip) and the 'whisper' CLI; these steps may require sudo and can modify /etc/fstab if you follow the swapfile instructions, (3) running Whisper medium uses significant CPU/memory — prefer smaller models or a dedicated machine, (4) the skill executes shell commands (converter, ffmpeg, whisper) on files you provide — validate/limit which attachments you auto-process to avoid processing attacker-supplied payloads, and (5) do not run these instructions as root on sensitive hosts unless you trust the external decoder repo and understand the system changes. If you want higher assurance, run the pipeline in an isolated environment (container/VM) and audit the cloned decoder code first.examples/gateway-integration.ts:30
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97b0q5cqg13hazj56yq5z7j9s842p58
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎤 Clawdis
Binsffmpeg, python3, git, whisper