ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Deepgram Voice Workflow

v0.1.0

End-to-end voice workflow with Deepgram STT and TTS. Use when transcribing voice messages, generating spoken replies, or building a shell-based audio pipelin...

0· 234·2 current·2 all-time
by@mengbad
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name, description, and included scripts are consistent with an end-to-end Deepgram STT/TTS pipeline; however the registry metadata declares no required environment variables or primary credential while the runtime explicitly requires DEEPGRAM_API_KEY. That mismatch is an incoherence that could surprise users.
!
Instruction Scope
Runtime instructions and bundled scripts are narrowly scoped to: read an input audio file, call api.deepgram.com, and write transcript/MP3 outputs. However the scripts also look for /root/.openclaw/.env as a fallback for DEEPGRAM_API_KEY (documented in SKILL.md). Reading a root-level config file is outside the minimal scope and was not declared in the registry metadata.
Install Mechanism
No install spec (instruction-only with bundled shell scripts). No remote downloads, no package installs, and no code obfuscation — this is low-risk from an install mechanism perspective.
!
Credentials
The scripts require a Deepgram API token (DEEPGRAM_API_KEY) to function, but the skill registry lists no required env/primary credential. The fallback that reads /root/.openclaw/.env is a privileged file path not declared. Requesting a single Deepgram key is proportionate to the stated purpose, but the undeclared root-level config access is problematic.
Persistence & Privilege
The skill does not request persistent/system-wide privileges (always=false). It does not modify other skills or system configs. It creates local output files (under /tmp or user-specified directories) which is expected.
What to consider before installing
This skill appears to do what it says (call Deepgram STT/TTS and write transcripts/MP3s), but the package metadata did not declare the required DEEPGRAM_API_KEY — the scripts will fail without it. Before installing or running: 1) do not put sensitive credentials into a shared root file; prefer setting DEEPGRAM_API_KEY in the invoking user's environment rather than relying on /root/.openclaw/.env; 2) verify the Deepgram API key you provide is scoped appropriately (rotate and limit permissions where possible); 3) inspect the three shell scripts yourself (they are short) to confirm you are comfortable with network calls to api.deepgram.com and with files being written to /tmp or your chosen out_dir; and 4) be cautious because the skill source/homepage is unknown — if you need stronger assurance ask the publisher for provenance or a homepage before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk974bqfnk8baa2s4my6sptwm2s82qrkq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments