ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

meeting-to-text

v1.0.0

Create a fully local speaker-separated .txt transcript from a meeting recording, meeting screen recording, speech audio, or local video/audio file. Use this...

0· 148·0 current·0 all-time
by@henrch1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description: local speaker-separated transcript. Implementation: expects local ASR/VAD model directories and a local 3D-Speaker repo, which is coherent. However the script also calls modelscope.hub.snapshot_download to fetch a speaker model at runtime if not cached — this contradicts the 'fully local' claim. The skill declares no required env vars or binaries, yet it requires a local ffmpeg executable and several model/repo paths to be present (or network access to download a model).
!
Instruction Scope
SKILL.md instructs running the bundled Python entrypoint and to read runtime_paths.md, and treats the last stdout line as JSON — that matches the script. It does not disclose that the script may perform a network download (modelscope.snapshot_download) if a speaker model cache is missing, nor does it highlight the strong dependency on a local 3D-Speaker repo layout and local models; this is scope-opaque and could surprise users who expect strictly offline operation.
Install Mechanism
No install spec (instruction-only + bundled Python script), so nothing is written by an installer. However, the runtime script will import libraries and call snapshot_download at runtime (network download) and invoke ffmpeg via subprocess; there is no package install step described.
Credentials
Requires no credentials or special env vars in metadata, which is appropriate. The code does rely on several local path defaults (PROJECT_ROOT-based) and allows overrides via MEETING_TO_TEXT_* env vars — these are reasonable but not declared. No secrets are requested, but the skill reads and writes local files (models, repos, temp dirs) and may download model artifacts from ModelScope.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. It executes as a one-off script and does not modify other skills or global agent config.
What to consider before installing
This skill will execute the bundled Python script on your machine and expects local models, a 3D-Speaker repo, and ffmpeg; if those are absent it will try to download a speaker model from ModelScope at runtime (so it is not strictly offline). Before installing/running: (1) review the script and decide whether you trust running arbitrary Python code and subprocesses on your system; (2) prepare the local directories listed in references/runtime_paths.md (or set the MEETING_TO_TEXT_* env vars) to avoid runtime downloads; (3) ensure ffmpeg is available at the expected path or set MEETING_TO_TEXT_FFMPEG; (4) run the skill inside an isolated/temporary environment if you want to limit risk. If you require guaranteed offline behavior, do not use this skill unless you pre-populate the expected model cache and repo paths.
scripts/meeting_to_text.py:225
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f6y7p3b4pvr6c3v40dde901830brg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments