Back to skill
Skillv1.0.0
ClawScan security
Voice Transcription · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 8:41 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and minimal dependencies are consistent with a transcription tool that uploads audio to the SiliconFlow API; nothing in the package indicates hidden functionality or unrelated credential requests.
- Guidance
- This skill appears to do exactly what it says: it uploads the audio file you provide to https://api.siliconflow.cn for transcription and returns the text. Before installing or using it, confirm you trust SiliconFlow (privacy, retention, and security of transcripts), keep your SILICONFLOW_API_KEY secret (prefer passing it per-invocation rather than exporting globally), and avoid uploading highly sensitive audio unless the provider's policies meet your requirements. Also note the 50MB / 1-hour limits and the 120s request timeout documented in the script.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the Python script and SKILL.md call a SiliconFlow transcription endpoint, require python3 and the requests library, and support selecting models. There is a small metadata omission: SKILL.md documents an optional environment variable (SILICONFLOW_API_KEY) but the registry's required env list is empty — this is a minor documentation mismatch, not a functional incoherence.
- Instruction Scope
- okRuntime instructions and the script remain scoped to uploading a specified audio file and returning transcription results. The script reads only the given audio file and an API key (from CLI or SILICONFLOW_API_KEY), and posts to the declared API URL. It does not enumerate or read unrelated system files, nor does it exfiltrate arbitrary data to unknown endpoints.
- Install Mechanism
- okNo archive downloads or unusual installers — the only declared install step is installing the Python requests package (pip), which matches the script's import. Required binaries (python3, curl) are reasonable for a CLI transcription utility.
- Credentials
- noteThe skill sensibly requires a single external API key (SiliconFlow). That key is proportionate to the functionality. Note: the registry did not mark SILICONFLOW_API_KEY as a required env var even though the SKILL.md and script rely on it; users should be aware the API key is mandatory at runtime (via --api-key or env). Also, using the skill uploads audio to a third-party service — treat the API key and audio content as sensitive.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify agent or system-wide configuration. It is user-invocable and can run autonomously (platform default), which is expected for a skill of this type.