moss-transcribe-diarize
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears coherent and benign, but it sends user-selected audio to a Mosi transcription API using an API key, so users should only process recordings they are comfortable sharing with that service.
Before installing, confirm that you trust the Mosi transcription endpoint for the recordings you plan to process, provide only the intended API key, and choose safe output paths. The artifacts do not show malicious behavior, but the skill handles potentially private audio and provider credentials.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Audio recordings and resulting transcription data may leave the local machine and be processed by the Mosi service.
The script submits the selected audio URL, base64 audio data, or converted local file data to a fixed external provider endpoint.
TRANSCRIBE_URL = "https://studio.mosi.cn/v1/audio/transcriptions" ... requests.post(TRANSCRIBE_URL, headers=headers, json=payload, timeout=args.timeout)
Use this only for recordings you are allowed to upload to that provider, and avoid sending highly confidential audio unless the provider terms meet your needs.
Anyone running the skill with these environment variables gives it access to use the corresponding provider account/API quota.
The script reads a provider API key from the environment and uses it as a bearer token for the transcription API.
api_key = os.getenv("MOSS_API_KEY") or os.getenv("MOSI_TTS_API_KEY") or os.getenv("MOSI_API_KEY") ... "Authorization": f"Bearer {api_key}"Provide the narrowest appropriate API key, avoid sharing unrelated credentials, and rotate the key if it is exposed.
The agent can process local paths the user provides and create or overwrite output files at the selected location.
The skill instructs the agent to run a local Python tool that reads user-specified audio files and writes result files; this is central to the stated purpose.
根据用户需求直接调用 `scripts/transcribe.py` ... `python scripts/transcribe.py --file "/path/to/meeting.mp4" --out "result.json"`
Specify input and output paths deliberately, and avoid directing output to sensitive or system locations.
The skill may require a preinstalled Python requests package, and users have less metadata to verify dependency setup.
The package has no install specification even though the included script imports a non-stdlib dependency, so dependency setup and provenance are less explicit.
No install spec — this is an instruction-only skill.
Install dependencies from trusted package sources if needed, and review the included script before first use.