Addis Assistant
v1.0.0Provides Speech-to-Text (STT) and text Translation using the Addis Assistant API (api.addisassistant.com). Use when the user needs to convert an audio file to text (specifically Amharic), or translate text between languages (e.g., Amharic to English). Requires 'x-api-key'.
⭐ 1· 2.1k·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md, api_spec, and the two included Python scripts all implement Speech-to-Text and translation against api.addisassistant.com, which is coherent with the skill name and description. However the registry metadata does not declare the primary credential or any required binaries even though the scripts require an API key and call the curl binary.
Instruction Scope
Runtime instructions and scripts are narrowly focused on calling the Addis Assistant endpoints. They only reference the provided audio file path or text and the x-api-key; they do not instruct the agent to read unrelated files, environment configuration, or transmit data to third-party endpoints beyond api.addisassistant.com.
Install Mechanism
No install spec is provided (instruction-only). The included code uses system curl via subprocess; nothing is downloaded or extracted by an installer. This is low install risk, but the presence of runnable scripts means users will execute code from an unknown source.
Credentials
SKILL.md and scripts require an 'x-api-key' argument, but the skill metadata does not declare any required environment variables or a primary credential. Also the scripts rely on the 'curl' binary but the required-binaries list is empty. These mismatches mean the skill's declared requirements are incomplete and could cause confusion or insecure handling of credentials.
Persistence & Privilege
The skill is not marked always:true and does not request elevated or persistent system privileges. It does spawn subprocesses (curl) to perform API calls, which is expected for this purpose and is done without shell interpolation (subprocess list usage), reducing shell-injection risk.
What to consider before installing
This skill appears to do what it claims (Amharic STT and translations) but there are a few things to check before installing or running it:
- Verify the service/domain: api.addisassistant.com has no listed homepage in the package metadata. Confirm the API provider is legitimate and trustworthy before sending audio or text and before giving them an API key.
- Provide the API key carefully: the scripts expect the x-api-key as a command-line argument, which can be visible in process lists on your system. Prefer passing secrets via a secure mechanism (stdin, environment variable, or a secrets manager) and avoid typing keys directly on shared machines.
- Required binary not declared: the scripts call the curl binary but the skill metadata does not list curl as required. Ensure curl is installed, or review the scripts and consider using a vetted implementation (e.g., Python requests) that clearly documents dependencies.
- Confirm TLS/URL: the examples use api.addisassistant.com without an explicit scheme; ensure the real requests use HTTPS (https://api.addisassistant.com) so data is encrypted in transit.
- Audit the code before running: the included scripts are short and readable, but you should review them yourself to ensure they match the shipped content and that no modifications exfiltrate data elsewhere.
Given the unknown origin and the metadata mismatches, do not hand over sensitive or high-privilege API keys until you verify the service and fix the dependency/credential handling. If you want, I can list concrete changes to make the skill safer (declare curl as required, accept API key via env or stdin, add HTTPS to endpoints, or replace curl with requests).Like a lobster shell, security has layers — review code before you run it.
latestvk9789m5dts9v8wnj8jwnzae1xh80bw9z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.