Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MOSI Transcribe Diarize 多说话人转写
v1.0.0MOSS 多说话人转写技能。支持 URL / 本地文件 / Base64 音频输入, 输出带时间戳与 speaker 的结构化转写结果(JSON、逐段文本、按说话人汇总)。 用于会议纪要、访谈录音、多人对话整理。
⭐ 0· 111·0 current·0 all-time
byYYL@mkkb473
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (multi‑speaker transcription) align with the included script and runtime instructions: the script sends audio (URL, local file encoded as data URL, or base64) to studio.mosi.cn for diarization. However, registry metadata claims no required env vars/credentials while the SKILL.md and script require an API key (MOSS_API_KEY / MOSI_TTS_API_KEY / MOSI_API_KEY). This metadata mismatch is an inconsistency to be aware of.
Instruction Scope
SKILL.md instructs the agent to run scripts/transcribe.py with clearly scoped arguments (--audio-url, --file, --audio-data). The script only reads the provided audio file (if --file), base64-encodes it, and POSTs JSON to the enforced endpoint (https://studio.mosi.cn). It does not attempt to read arbitrary system files or other environment variables beyond the API keys described.
Install Mechanism
This is instruction-only with an included Python script (no network install). No external downloads or installers are used. The script imports the requests library but no install step or dependency declaration is provided in the registry metadata or SKILL.md — users will need Python and the requests package available in the environment.
Credentials
The script requires an API key (it checks MOSS_API_KEY and falls back to MOSI_TTS_API_KEY or MOSI_API_KEY) and will send that key as a Bearer token to studio.mosi.cn. That credential is appropriate for the declared purpose, but the registry metadata incorrectly lists 'Required env vars: none' and 'Primary credential: none' — an incoherence that could confuse permission/approval workflows. No unrelated secrets are requested.
Persistence & Privilege
The skill does not request persistent/invisible presence (always:false). It does not alter other skills or agent-wide config. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.
What to consider before installing
What to consider before installing:
- The script will upload any provided audio (including local files you point to) to https://studio.mosi.cn and sends your API key as a Bearer token. Only supply an API key you trust the service with and avoid sending highly sensitive audio unless you have an acceptable data policy.
- There is a metadata inconsistency: the registry entry claims no required env vars but SKILL.md/script require MOSS_API_KEY (with fallbacks). Treat this as a documentation gap — confirm where to store/approve the key before installation.
- The script requires the Python 'requests' package; the skill does not declare installation steps. Make sure your environment has required Python deps.
- The code enforces HTTPS and restricts the host to studio.mosi.cn, which limits accidental exfiltration to other domains. That is good, but you should still verify the service (studio.mosi.cn) and the skill owner (currently 'unknown').
- If you need higher assurance: ask the publisher to (a) correct registry metadata to declare the required env vars, (b) provide provenance for the code (source repo, signing), and (c) document the data retention/privacy policy for uploaded audio. Rotate or scope API keys used with this skill where possible.Like a lobster shell, security has layers — review code before you run it.
latestvk97c4j73wypqk514k22z43wv0n833pc0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Environment variables
MOSS_API_KEYrequired— MOSI Studio API Key。脚本按优先级接受 MOSS_API_KEY、MOSI_TTS_API_KEY 或 MOSI_API_KEY。 从 studio.mosi.cn 获取。