Aliyun Asr
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Aliyun speech-to-text purpose, but it makes a no-local-storage privacy claim while the code can leave converted audio files on disk.
Review this skill before installing. It appears designed for Aliyun speech-to-text, but you should be comfortable sending voice messages to Aliyun and should fix or accept the local WAV retention behavior for OGG files. Use a limited Aliyun RAM key and ensure requests/ffmpeg are installed from trusted sources.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private voice messages in OGG format could remain on disk as WAV files after transcription.
This creates a local WAV copy for OGG input and the code does not delete it, which conflicts with SKILL.md's claim that voice data is not stored locally.
if audio_file.endswith('.ogg'):
wav_file = audio_file.replace('.ogg', '.wav')
subprocess.run([... '-f', 'wav', wav_file], check=True, capture_output=True)
audio_file = wav_fileUpdate the skill to use a temporary file with cleanup, or clearly disclose local conversion-file retention and where files are written.
Voice messages may contain sensitive information and will be shared with Aliyun for transcription.
The skill sends the audio file bytes to Aliyun's ASR endpoint, which is expected for cloud speech recognition but means voice content leaves the local/OpenClaw environment.
response = requests.post(url, headers=headers, data=audio_data)
Install only if Aliyun cloud processing is acceptable for the voice channels you plan to use.
The skill can use the configured Aliyun NLS account permissions and may incur cloud usage under that account.
The code reads local Aliyun access credentials from a fixed config file and uses them to obtain an NLS token; this is purpose-aligned but sensitive and under-declared in registry metadata.
self.config_path = "/root/.openclaw/aliyun-asr-config.json"
Use a dedicated RAM sub-account with only the permissions needed for ASR, protect the config file, and rotate keys if the host is shared.
The skill may fail or require manual dependency installation, and users may not see all runtime requirements before installation.
The skill documents a Python dependency, and the code also calls ffmpeg for OGG conversion, but the registry requirements list only python3 and there is no install spec.
- **依赖**: `requests` (Python包)
Declare requests and ffmpeg in the skill requirements or document a clear, pinned setup path.