ClawHub

Voice Transcribe

v1.0.1

Transcribe audio files using OpenAI's gpt-4o-mini-transcribe model with vocabulary hints and text replacements. Requires uv (https://docs.astral.sh/uv/).

12· 5.5k·34 current·36 all-time
by@darinkishore
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill name/description (voice transcription via OpenAI) is reasonable, but the SKILL.md asks the user to put OPENAI_API_KEY in a hardcoded path (/Users/darin/.../.env) and to run 'uv run /Users/darin/clawd/skills/voice-transcribe/transcribe'. The package metadata declares no required env vars and includes no executable named 'transcribe'. That mismatch (hardcoded user path + undeclared credential + missing executable) is inconsistent with the stated purpose and deployment model.
!
Instruction Scope
The instructions tell humans/agents to run a 'transcribe' command at an absolute path and to store an OpenAI API key in a specific file — actions outside the skill bundle. They also mention caching and post-processing replacements. Because there is no included code or executable, the instructions are ambiguous and assume local artifacts and secrets that the skill metadata does not disclose.
Install Mechanism
There is no install spec (instruction-only), which is lower risk in itself. However, absence of an install plus references to running an external 'transcribe' binary means the runtime will rely on external tooling (uv and an executable/script) that are not provided; verify where that code comes from before running.
!
Credentials
Metadata claims no required env vars or primary credential, but SKILL.md explicitly instructs placing OPENAI_API_KEY into a local .env file. That is a direct mismatch: the skill needs an API key to function but does not declare it. Also the instructions encourage storing the key in a hardcoded, user-specific path, which is a poor and potentially unsafe practice.
Persistence & Privilege
The skill does not request always:true and does not declare persistent system-wide modifications. Autonomous invocation is allowed by default (normal). There is no evidence the skill attempts to change other skills or system settings.
What to consider before installing
Do not install or run this skill until the author clarifies and fixes these issues: (1) The SKILL.md requires an OPENAI_API_KEY but the metadata lists none—ask the author to declare required env vars (and prefer platform secret storage rather than a hardcoded .env file). (2) The instructions require running a 'transcribe' executable at /Users/darin/... but no executable or install steps are provided—ask where that binary comes from and request an install spec or included code. (3) Confirm the role of 'uv' (astral.sh) and ensure you trust that runtime. (4) Avoid placing API keys in arbitrary files; if you test, use a throwaway key and inspect the actual code that will run. If the author cannot supply the missing files or a credible install source (e.g., a GitHub release or vetted package), treat this skill as unreliable and do not give it secrets or run it with sensitive audio.

Like a lobster shell, security has layers — review code before you run it.

latestvk9798hzptmc339c8be36gfs6cx7ymmn7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments