ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Telegram Multilingual Voice Reply

v0.1.0

Smart Telegram reply workflow for OpenClaw: if the user sends text, reply with text; if the user sends a voice note/audio, transcribe locally using the insta...

0· 554·0 current·0 all-time
by0x1@pengling9405
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Telegram multilingual voice reply) align with the included artifacts: SKILL.md describes local ASR/TTS behavior and the repository includes two helper scripts (mlx_asr.py and mlx_tts_voice.py) that implement those functions using mlx_audio and ffmpeg. The models named (Qwen3-ASR, Qwen3-TTS) are consistent with the stated approach.
Instruction Scope
SKILL.md explicitly limits actions to: transcribing audio with the provided scripts, generating TTS, and sending a Telegram voice message with a caption that matches the voice. The instructions do not ask the agent to read unrelated files, access secrets, or call unknown external endpoints. The scripts operate on audio files provided to them and create temporary files as expected.
Install Mechanism
There is no install spec (instruction-only), which reduces risk. However the scripts depend on external tooling (mlx_audio CLI or importable mlx_audio package and ffmpeg). Installing or running those tools may pull large model files from upstream (HuggingFace/other), which implies network activity and substantial disk use; this is expected for local ASR/TTS but worth noting.
Credentials
The skill requests no environment variables or credentials. The scripts look for a fallback CLI under the user's home (~/.local/bin) and use temporary files — both are reasonable for this use case. They do not read arbitrary config paths or secret env vars.
Persistence & Privilege
The skill is not always-on and does not modify other skills or system-wide config. It runs as-invoked and does not request elevated persistence or cross-skill access.
Assessment
This skill appears internally consistent and implements local ASR/TTS as described. Before installing or running it, make sure you: (1) install mlx_audio and ffmpeg from trusted sources and be aware those installs will likely download large model files (network + disk usage); (2) run the scripts in an environment you control (container/venv) because they will execute local binaries and create temporary files; (3) avoid passing paths to sensitive files as the scripts operate on file paths you provide; (4) note the scripts call external CLIs found on PATH or ~/.local/bin — ensure those executables are the genuine tools you intend to use to prevent accidental execution of a replaced/malicious binary. If you need the agent to run in a more restricted environment, prefer isolating execution or denying network/model downloads.

Like a lobster shell, security has layers — review code before you run it.

latestvk9789gcpmsj7vebjqsnayv00vh81kzeq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments