Addis Assistant
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated STT/translation purpose, but its API calls may send your API key and audio/text over non-HTTPS connections.
Use this only after changing the endpoints to explicit HTTPS URLs. Treat any submitted audio/text as shared with Addis Assistant, and avoid passing the API key directly on the command line if you are on a shared machine.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your API key and audio or translated text could be exposed in transit if the request starts over unencrypted HTTP.
The script sends an API key and user-selected audio to a remote provider, but the URL lacks an explicit https:// scheme; curl commonly treats scheme-less URLs as HTTP.
"--location", "api.addisassistant.com/api/v2/stt", "--header", f"x-api-key: {api_key}", "--form", f"audio=@{audio_file_path}"Change the scripts and documentation to use explicit https://api.addisassistant.com/... URLs and verify TLS before sending API keys or sensitive content.
On shared or monitored machines, another local user or tool might see the API key while the command is running or in command history.
The API key is expected for this service, but passing it as a command-line argument can expose it through shell history or process listings.
print("Usage: python3 translate.py <x-api-key> <text> <source_language> <target_language>")
...
api_key = sys.argv[1]Prefer reading the API key from a protected environment variable or secret store, and avoid pasting it directly into shell commands.
Installation may be less transparent, and the skill may fail unless curl is available.
The skill has limited provenance metadata and does not declare curl as a requirement even though the scripts call curl.
Source: unknown Homepage: none Required binaries (all must exist): none
Confirm the publisher/source before use and declare curl plus the required API credential in the skill metadata.