Back to skill
Skillv1.0.1
ClawScan security
acestep-lyrics-transcription · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 13, 2026, 3:46 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and configuration align with its stated purpose (transcribe audio via OpenAI Whisper or ElevenLabs Scribe); no unrelated credentials, installers, or hidden endpoints are requested.
- Guidance
- This skill appears to do what it says: it uploads user-supplied audio to OpenAI or ElevenLabs to produce timestamped lyrics and saves outputs locally. Before installing, consider: (1) Privacy — audio is sent to a third-party service (OpenAI/ElevenLabs); avoid uploading sensitive audio or confirm provider policy. (2) API keys — you will store provider keys in scripts/config.json (plaintext) so protect that file and your environment. (3) Billing — provider usage may incur costs. (4) The SKILL.md warns not to display API keys; the script will, however, read the key to contact the provider. If you prefer not to store API keys on disk, use a secure secret mechanism or ephemeral keys. If you need deeper review, provide the full remainder of the script (the ElevenLabs section was truncated) so its network calls and file operations can be inspected.
Review Dimensions
- Purpose & Capability
- okName/description (lyrics transcription using OpenAI or ElevenLabs) match the included script and SKILL.md: the bash script calls provider APIs to transcribe audio and converts timestamps to LRC/SRT/JSON. Required tools (curl, jq, python) are reasonable for this task.
- Instruction Scope
- okSKILL.md stays on-topic: it instructs checking/setting a provider API key, running the transcribe command, and doing a manual LRC correction workflow. It does not instruct reading unrelated system files or exfiltrating data to unexpected endpoints; network calls are limited to configured provider API URLs.
- Install Mechanism
- okNo install spec is provided (instruction-only with bundled script). Nothing in the package attempts to download or install external code during install time.
- Credentials
- noteNo platform environment variables are required; the script uses a local config.json to store provider API keys. Requesting OpenAI/ElevenLabs API keys is proportionate to the functionality. Note: keys are stored plaintext in scripts/config.json (typical but sensitive) and the script must read the key to send it in Authorization headers — SKILL.md explicitly warns not to print keys.
- Persistence & Privilege
- okalways:false and there is no sign the skill attempts to modify other skills or system-wide agent settings. It is user-invocable and does not request persistent elevated privileges.