ifly-speed-transcription
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a legitimate transcription skill that uploads user-selected audio to iFLYTEK using user-provided API keys; review the credential and privacy implications before use.
Install or use this skill only if you are comfortable uploading the selected audio to iFLYTEK/XFYUN and providing API credentials. Keep keys out of chats and logs, confirm you have consent to process sensitive recordings, and remove the bundled local .claude settings if they are not needed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your recording, and possibly its local file path/name, is sent to the external transcription service.
The script sends the chosen local audio file to fixed iFLYTEK/XFYUN API endpoints. Using str(file_path) as the multipart filename may also expose the local path string to the provider.
self.upload_host = "upload-ost-api.xfyun.cn" ... "data": (str(file_path), f.read()) ... requests.post(url, headers=headers, data=file_data, timeout=60)
Use only recordings you are allowed to upload, avoid sensitive path names, and consider changing the upload filename to file_path.name if local path disclosure matters.
Anyone with these keys may be able to use your iFLYTEK account quota or incur charges depending on the account setup.
The skill requires delegated iFLYTEK account credentials to sign API requests. This is purpose-aligned, but the registry metadata does not declare required env vars or a primary credential.
export XFEI_APP_ID="your_app_id" export XFEI_API_KEY="your_api_key" export XFEI_API_SECRET="your_api_secret"
Set credentials only in your local environment, use scoped or low-privilege keys where possible, and rotate them if exposed.
The extra local settings may confuse permission review and are not needed to transcribe audio.
The package includes local Claude permission settings for development or packaging paths that are unrelated to normal transcription use. No automatic execution is shown, but this file is extraneous provenance/packaging data.
"allow": ["Bash(python3 -m py_compile scripts/transcribe.py)", "Read(//Users/yanhuijiang/Desktop/skill打包/**)", "Bash(zip -r \"/Users/yanhuijiang/Desktop/改进之后的skill打包/xfei-speed-transcription.zip\" xfei-speed-transcription/)"]
Remove or ignore .claude/settings.local.json when installing or repackaging the skill.