Audio Analyze
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill largely matches its audio transcription purpose, but its helper script builds executable Python from unescaped file paths and settings, which creates a real code-execution risk.
Review before installing. The external transcription workflow and API key use are expected, but the included transcribe.sh script should be treated cautiously because it interpolates user-controlled values into executable Python. Prefer using a fixed, trusted filename and settings, run in a limited environment, and wait for a safer script implementation if you process untrusted files.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously crafted filename or setting could cause the helper script to run unintended local Python code when the agent tries to transcribe audio.
The shell expands user/config-controlled values into executable Python source instead of passing them as arguments or JSON data. Quotes or other crafted content in the filename, EVOLINK_MODEL, EVOLINK_API_KEY, or language option could break out of string literals and change the code that runs.
python3 -c "\n...\nwith open('$FILE', 'rb') as f:\n...\n 'model': '${EVOLINK_MODEL:-gemini-3.1-pro-preview-customtools}',\n...\n{'type': 'text', 'text': '请转录这段音频 (Diarization: $DIARIZATION, Lang: $LANG)'},Do not run this helper on untrusted paths or with untrusted option/env values until it is rewritten to pass inputs via argv/environment safely and construct the payload inside Python without source-code interpolation.
Audio or video files may contain private conversations or other sensitive information that will be sent to Evolink for processing.
The selected local file is encoded and sent to the Evolink API for transcription. This is aligned with the skill's purpose and is disclosed, but it is still an external data transfer.
audio_base64 = base64.b64encode(f.read()).decode('utf-8') ... response = requests.post('https://api.evolink.ai/v1/chat/completions', json=payload, headers=headers)Only transcribe files you are comfortable uploading to Evolink, and review Evolink's retention and privacy terms for sensitive recordings.
Anyone or anything that can read the environment where the skill runs may be able to use the Evolink API key.
The skill requires a provider API key. This is expected for the Evolink integration and the artifacts do not show hardcoded keys or unrelated credential use.
`EVOLINK_API_KEY` (Required): Your API key from Evolink.
Use a dedicated, least-privilege API key if available, avoid sharing logs that include environment values, and rotate the key if you suspect exposure.
Future installs may receive a different requests version than the publisher tested.
The dependency is not version-pinned. Installing an unpinned package is common for simple tools, but it gives less reproducible provenance than a pinned or locked dependency.
requests
Install in a virtual environment and prefer a pinned dependency set if using this in a controlled or production workflow.