ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

asr

v1.0.0

Transcribe audio from URLs or local files into text using multilingual automatic speech recognition via SkillBoss API Hub.

0· 17·0 current·0 all-time
by@kirkraman
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The script, SKILL.md, and manifest consistently implement an ASR client that uploads audio to an external API (https://api.heybossai.com). However the top-level registry metadata provided to you omitted the required env var and declared 'no required env vars'. The README/manifest/README author text reference 'heybossai.com' while SKILL.md instructs signup at 'skillbossai.com' — a domain mismatch that is unexplained.
Instruction Scope
The runtime instructions and the included script are narrowly scoped: they download a URL or read a local file, base64-encode the audio, and POST it to the API endpoint with the SKILLBOSS_API_KEY. The instructions do not direct the agent to read other files, network endpoints, or additional environment variables beyond the API key. Note: the agent will download arbitrary URLs and transmit their contents to a third-party service.
Install Mechanism
There is no install spec and the skill ships as a small shell script plus docs. No external downloads or archive extraction occur at install time. This is a low-risk install mechanism, but the packaged script will be written to disk as part of installing the skill bundle.
!
Credentials
Operationally the skill requires a single API key (SKILLBOSS_API_KEY) which is proportionate to the stated purpose. However the registry-level metadata you were shown claims 'Required env vars: none' and 'Primary credential: none' while the manifest and SKILL.md do require SKILLBOSS_API_KEY — this inconsistency is concerning. Also the SKILL.md and script point to two different domains (skillbossai.com vs heybossai.com), increasing the risk of misconfiguration or credential leakage to the wrong service.
Persistence & Privilege
The skill is not marked always:true and does not request elevated or persistent system privileges. It does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not in itself a red flag here.
What to consider before installing
What to check before installing: - Verify the provider domain and repository: SKILL.md mentions signing up at skillbossai.com but the script and manifest use heybossai.com / api.heybossai.com. Confirm which domain is legitimate and that your API key will be sent to the intended service. - Confirm the manifest actually published with SKILLBOSS_API_KEY as a required env var; the top-level metadata you were shown omitted it. Treat that discrepancy as a packaging error until proven otherwise. - Understand data flow: any URL you feed (or any local file you point at) will be downloaded/read and uploaded (base64 in JSON) to the external API. Do not send sensitive audio unless you trust the service and privacy terms. - Ensure your environment has the expected CLI tools the script uses (curl, base64, mktemp). The skill did not declare required binaries even though the script uses them. - Test with non-sensitive audio and a disposable API key first. If possible, use a least-privilege or time-limited key for initial testing. - If you need higher assurance, inspect the repository at the manifest's 'repository' URL and contact the provider to confirm the correct signup domain and API endpoint. Given the domain/metadata inconsistencies, proceed only after verifying the provider and the destination of your API key and audio data.

Like a lobster shell, security has layers — review code before you run it.

aivk9799fmqpj9hwy72m92efy8b99856kpalatestvk9799fmqpj9hwy72m92efy8b99856kpa
17downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
@kirkraman
ailatest
Download

ASR (Automatic Speech Recognition) Skill

Fast, accurate automatic speech-to-text transcription powered by SkillBoss API Hub.

Why use this skill?

  • Multilingual: Supports 100 languages with auto-detection.
  • Flexible Input: Transcribe from a URL or a local file.
  • Agent-Ready: Designed for high-volume, automated pipelines.
  • Unified API: Powered by SkillBoss API Hub — single key, single endpoint.

Setup

1. Get an API Key

Sign up at skillbossai.com to obtain your SKILLBOSS_API_KEY.

2. Configure Authentication

This skill looks for your API key in the SKILLBOSS_API_KEY environment variable.

Add this to your .env or agent config:

SKILLBOSS_API_KEY=your_key_here

Usage

TL;DR for Agents

When this skill is installed, you can transcribe any URL or local file by running: ./skills/asr/scripts/asr.sh transcribe --url "https://example.com/audio.mp3"

Transcribe a URL

# Basic transcription
./skills/asr/scripts/asr.sh transcribe --url "https://example.com/audio.mp3"

# With language hint
./skills/asr/scripts/asr.sh transcribe --url "https://example.com/audio.mp3" --language "en"

Transcribe a Local File

# Upload and transcribe local media
./skills/asr/scripts/asr.sh transcribe --file "./local-audio.wav"

Supported Options

  • --language <code>: ISO language code (e.g., 'en', 'es')

Output

Returns a JSON response. The transcription text is in:

.result.text

If the SKILLBOSS_API_KEY is missing, the tool will provide a clear error message.

Comments

Loading comments...