ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

meeting record analysis

v1.0.0

将会议录音转成结构化会议纪要。适用于用户上传会议音频后,希望通过 ASR 转写、LLM 总结和可选 TTS 播报,自动提取会议主题、讨论要点、决策和行动项的场景。输入支持 `audio_file`、`need_voice_summary`、`language`;默认输出 JSON 结构化纪要,并可附带语音摘要文件路径。

0· 111·0 current·0 all-time
by@cows21
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (convert meeting audio to structured minutes) aligns with the included script and prompts: it performs ASR, transcript cleaning, LLM summarization, and optional TTS. The code calls ASR, LLM and TTS endpoints (senseaudio.cn and models.audiozen.cn), which is coherent with the purpose.
Instruction Scope
SKILL.md and the script stay within the declared workflow (validate audio, call ASR, clean transcript, call LLM to produce JSON, optionally call TTS, save outputs). However, the instructions and code explicitly send audio and text to third‑party endpoints (https://api.senseaudio.cn and https://models.audiozen.cn), which means user data will be transmitted off‑host. The skill also attempts to load .env files from the skill dir or CWD for credentials.
Install Mechanism
No installer or remote download is used; it's an instruction+script package with a simple requirements.txt (openai, requests, python-dotenv). This is proportionate to the task and does not introduce high-risk remote installation behavior.
!
Credentials
The registry declares no required environment variables, but the script requires several API keys/env vars (MEETING_LLM_API_KEY or IME_MODEL_API_KEY, MEETING_ASR_API_KEY or SENSEAUDIO_API_KEY, MEETING_TTS_API_KEY or SENSEAUDIO_API_KEY, and optional overrides like MEETING_LLM_BASE_URL). The script will exit if required keys are missing and will load .env files from disk. Requiring multiple unrelated credentials without declaring them in metadata is a discrepancy and a potential surprise to users.
Persistence & Privilege
The skill is not always: true and does not request system-wide privileges. It writes outputs to a local outputs/ directory inside the skill, and may read .env files from the skill or current working directory. It does not modify other skills or system configs.
What to consider before installing
Before installing or running this skill: (1) Recognize that audio and transcript text are uploaded to external endpoints (models.audiozen.cn and api.senseaudio.cn by default). Only use with recordings you are comfortable sending off‑host. (2) The script expects API keys (LLM, ASR, TTS) via environment variables or .env files, but the registry metadata did not list these — confirm which secrets you'll provide and trust the service operators. (3) Inspect the .env.example and the script to confirm which env names and endpoints will be used; consider overriding endpoints to services you trust. (4) Run in an isolated environment (container) and review outputs/ for any sensitive intermediate files; remove credentials from working dirs when finished. (5) If you need higher assurance, ask the publisher for verified source/homepage and for the skill metadata to declare required env vars and endpoints explicitly.

Like a lobster shell, security has layers — review code before you run it.

latestvk97db84z3h6ebfxsg2qa0bm5x9833b9s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments