ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fun-ASR speech recognition

v1.0.0

阿里云百炼 FunASR 录音文件识别,使用阿里云 DashScope API 进行语音转文字。当用户需要转录音频文件时触发。

0· 158·2 current·2 all-time
by彭震东@pengzhendong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code and SKILL.md implement an Aliyun DashScope-based ASR client (reads an audio file and sends PCM to a DashScope websocket). That matches the skill description. However registry metadata lists no required environment variables while both SKILL.md and the script require DASHSCOPE_API_KEY, an omission that is incoherent.
Instruction Scope
Runtime instructions are limited to installing two Python packages, setting DASHSCOPE_API_KEY, and running scripts/cli.py on an audio file. The script only reads the provided audio file and sends audio frames to DashScope; it does not attempt to read unrelated files, other credentials, or system state.
Install Mechanism
There is no install spec in the registry (instruction-only), and the SKILL.md instructs pip installing dashscope and librosa. No downloads from arbitrary URLs or archive extraction are present. The only code file is a small CLI script that uses those libraries.
!
Credentials
The script and SKILL.md require DASHSCOPE_API_KEY (used as dashscope.api_key), but the skill's declared required env vars list is empty — this mismatch could mislead users about secret requirements. Also the included .claude/settings.local.json grants WebFetch to bailian.console.aliyun.com which is unrelated to the runtime websocket endpoint (wss://dashscope.aliyuncs.com) and is not explained.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges. It does not modify other skills' configs. Including a settings.local.json is benign but its allowed WebFetch domain is unexpected.
What to consider before installing
This skill appears to be a small client for Aliyun DashScope ASR and will send any audio you run through it to DashScope's service (wss://dashscope.aliyuncs.com). Before installing or running: 1) Treat DASHSCOPE_API_KEY as a secret — the registry metadata failed to declare it, so do not paste keys into unfamiliar installs. 2) Only use a minimally scoped or ephemeral API key and avoid transcribing sensitive audio. 3) The package includes .claude/settings.local.json permitting WebFetch to bailian.console.aliyun.com (an unrelated Aliyun console domain) — consider removing or reviewing that file if you don't want the skill to request web access. 4) Verify the source/owner since source/homepage are unknown; inspect the dashscope Python package and network endpoints you will be talking to. 5) If you plan to install, run in an isolated environment (virtualenv/container) and confirm the DASHSCOPE API key usage is acceptable.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f1nzzrhppn080c8t36ekyq583927w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments