iFLYTEK Song Recognition

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a straightforward song-recognition skill, but it uploads the chosen audio file to iFlytek and requires iFlytek API credentials.

Before installing, confirm you are comfortable sending selected audio files to iFlytek and providing iFlytek API credentials. Use a dedicated credential set and only pass file paths for audio you intentionally want analyzed.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI07: Insecure Inter-Agent Communication

Low

What this means

Audio files provided to the skill will be uploaded to iFlytek for recognition; an unintended file path could expose unintended local content.

Why it was flagged

The script base64-encodes the supplied file and sends it to an external iFlytek API endpoint. This is expected for song recognition, but it means the chosen audio content leaves the local environment.

Skill content

self.host_url = "https://cn-east-1.api.xf-yun.com/v1/private/s29ebee0d" ... "audio": encoded_file ... response = requests.post(signed_url, json=request_body, timeout=self.timeout)

Recommendation

Only run the skill on audio files you intend to send to iFlytek, and avoid passing sensitive or unrelated local file paths.

#ASI03: Identity and Privilege Abuse

Low

What this means

Anyone running the skill with these environment variables can make requests using the configured iFlytek account credentials.

Why it was flagged

The skill requires iFlytek API credentials. This is appropriate for the stated service integration, and the artifacts do not show unrelated credential use or credential exfiltration.

Skill content

export XF_SONG_APP_ID=your_app_id ... export XF_SONG_API_KEY=your_api_key ... export XF_SONG_API_SECRET=your_api_secret

Recommendation

Use dedicated, least-privileged iFlytek credentials for this skill and rotate them if they are shared or exposed.

#ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

The skill may fail or rely on whatever requests package is already installed in the local Python environment.

Why it was flagged

The script depends on the third-party requests package, while the provided install information has no package install spec and lists only python3 as a required binary.

Skill content

import requests

Recommendation

Verify that Python dependencies are installed from trusted sources before running the skill.