Step Asr
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it claims: transcribe a chosen audio file through StepFun ASR, while requiring an API key and sending the audio to that external service.
This skill looks coherent and purpose-aligned. Before installing, make sure you are comfortable sending selected audio files to StepFun and using your StepFun API key for the requests.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any private speech or background audio in the selected file may be processed by StepFun.
The script uploads the selected audio file contents, encoded as base64, to the external StepFun ASR API. This is expected for cloud transcription but means audio data is shared with the provider.
API_URL = "https://api.stepfun.com/v1/audio/asr/sse" ... "data": audio_b64
Only transcribe files you are comfortable sending to StepFun, and review the provider's data handling terms for sensitive recordings.
The skill can use your StepFun account quota or billing for transcription requests.
The script requires a StepFun API key and sends it as an Authorization bearer token to the StepFun API. This is purpose-aligned for the service integration.
api_key = os.environ.get("STEPFUN_API_KEY", "") ... "Authorization": f"Bearer {api_key}"Use a StepFun key intended for this purpose, rotate it if exposed, and avoid sharing transcripts or command logs that might reveal credentials.
You have less external assurance about who maintains the skill or where updates originate.
The registry metadata does not identify a source repository or publisher provenance. The included code is small and coherent, and no external installer is shown, but provenance is limited.
Source: unknown
Prefer installing from trusted publishers or compare the included endpoint and behavior against StepFun's official documentation before use.