ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

speech-translation

v1.0.0

Build, adapt, or run an audio-processing workflow that takes spoken audio, transcribes it with Whisper or faster-whisper, translates the transcript using the...

0· 66·0 current·0 all-time
by@decin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included Python pipeline: transcription (faster-whisper or mock), translation (agent-LLM, manual, or HTTP service), and TTS (piper or mock). There are no unrelated required credentials, binaries, or config paths; the code and docs consistently implement the described workflows.
Instruction Scope
SKILL.md stays on-purpose (chat-native vs local pipeline, LLM-assisted default). It explicitly supports notification hooks that run external commands to report stages; those hooks (and send_text/send_audio helpers) cause the runtime to execute arbitrary shell commands when configured. This is expected for a pipeline but expands the skill's runtime actions beyond pure file IO/network calls — treat notification command templates as sensitive configuration.
Install Mechanism
No install spec (instruction-only + bundled scripts). That lowers risk because nothing is downloaded or installed by the registry; the repo only contains local Python scripts and shell wrappers. The runtime does require optional third-party packages (faster-whisper, requests) and an external 'piper' binary for full functionality, per the README.
Credentials
The skill declares no required env vars or credentials, which matches the code. However several scripts read optional environment variables (VOICE_TRANSLATE_TEXT_COMMAND_TEMPLATE, VOICE_TRANSLATE_AUDIO_COMMAND_TEMPLATE) as command templates. These are not required but, if set, control what external commands are run and could be used to exfiltrate data if misconfigured or supplied by an attacker.
Persistence & Privilege
The skill does not request persistent/always-on inclusion, does not modify other skills or system settings, and does not demand elevated privileges. It runs as a normal on-demand pipeline invoked by the agent/user.
Assessment
This skill appears to do exactly what it says: local transcription, translation orchestration, and TTS. Before installing or running it: 1) Only configure notification command templates (or environment variables that set them) from trusted sources — the notifier code executes those commands with shell=True and may run arbitrary processes. 2) Prefer the provided mock senders for testing to avoid accidental data leaks. 3) Run the pipeline in a sandbox or isolated environment if you plan to use service backends or custom command hooks. 4) Validate any translation_service_url you provide and avoid pointing it to untrusted endpoints. 5) Keep the external piper binary and Python dependencies installed from trusted channels. If you want, I can point to the exact lines where subprocess.run with shell=True and unescaped formatting is used so you can review or harden them.

Like a lobster shell, security has layers — review code before you run it.

latestvk975j9ythd4j2ne3cqw3xc04ps83vrdx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments