autoglmasr
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill matches its audio-transcription purpose, but users should notice that it runs an external npm MCP server, uses a Zhipu API key, and uploads selected audio to an external ASR API.
This skill appears purpose-aligned for audio transcription. Before installing, verify the npm package/repository, use a dedicated API key, and only provide audio files that you are comfortable sending to the Zhipu/BigModel ASR service.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The actual MCP server code would come from the npm package at install/run time, so users are trusting that external package source.
The skill tells users to run an npm package via npx, including a no-prompt install mode, while no runnable code is included in the reviewed artifacts and no version is pinned.
npx autoglm-asr-mcp ... "args": ["-y", "autoglm-asr-mcp"]
Verify the npm package and linked GitHub repository before use, and pin a known version where possible.
Anyone or any configured process with access to this key may be able to use the ASR provider account and incur usage costs.
The skill requires a Zhipu/AutoGLM API key, but the registry metadata declares no primary credential or required environment variables.
"AUTOGLM_ASR_API_KEY": "your-api-key" ... `AUTOGLM_ASR_API_KEY` | 必填 | 智谱 API Key
Use a dedicated, least-privilege API key if available, store it only in the intended MCP configuration, and rotate it if exposed.
Audio files may contain private speech or business information and will be sent to an external service for transcription.
The documented workflow uploads audio chunks to the external BigModel/Zhipu transcription API.
AUTOGLM_ASR_API_BASE | https://open.bigmodel.cn/api/paas/v4/audio/transcriptions ... files={"file": ("audio.wav", chunk_data, "audio/wav")}Only transcribe audio you are allowed to send to the provider, review the provider’s data-handling policy, and configure the API endpoint deliberately.