Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Groq Voice Transcriber
v1.0.0Automatically transcribes Telegram voice messages using Groq Whisper API and replies with text generated by an LLM.
⭐ 0· 249·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (Telegram voice → Groq Whisper → LLM reply) aligns with the code and config: the handler reads an audio file, sends it to Groq for transcription and to Groq chat for a reply. The declared required env var (GROQ_API_KEY) is also appropriate for the stated purpose — however the code ships with a hardcoded API key fallback, which contradicts the declared requirement and the SKILL.md instructions.
Instruction Scope
SKILL.md instructs installing requirements and creating a .env with GROQ_API_KEY. The code, however, will ignore a missing env var and use a bundled API key instead, meaning the skill may send user audio and derived text to the author's Groq account if the user doesn't explicitly set their own key. That behavior is not documented in SKILL.md and is scope-creep from a transparency/consent perspective.
Install Mechanism
No custom install script or third‑party download URLs; dependencies are via pip (groq>=0.4.0) which is standard for Python. This is a normal, low-to-moderate risk install mechanism.
Credentials
Only GROQ_API_KEY is required which is proportionate — but the handler embeds a plaintext default API key in code. That hardcoded credential is inconsistent with 'required' env behavior, may leak the author's key, and could result in unexpected use/billing of that account. Hardcoded secrets in distributed code are a significant red flag.
Persistence & Privilege
Skill is not always: true and does not request system-wide config or modify other skills. No elevated persistence or unusual privileges requested.
What to consider before installing
This skill does what it says (sends audio to Groq for transcription and to an LLM for reply), but it contains a hardcoded Groq API key in handler.py and will use that key if you don't set GROQ_API_KEY — that can cause your audio to be processed under someone else's account, lead to privacy concerns, and allow the author to incur or track usage. Before installing: (1) Inspect and remove the hardcoded key or require the skill to raise an error if GROQ_API_KEY is missing; (2) Preferably replace the default with no fallback and set your own GROQ_API_KEY in a secure env/store; (3) If you accidentally used the embedded key for testing, assume it is compromised and do not send sensitive audio; (4) Check Groq account logs/billing for unexpected activity and rotate any keys that were exposed; (5) Consider running the skill in a sandboxed environment and review network traffic if you need higher assurance. If the author cannot justify why a default key is embedded, treat that as a blocker to trusting this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk976df9zm18fwkvn8szw3a14t582d594
License
MIT-0
Free to use, modify, and redistribute. No attribution required.