Back to skill
Skillv1.0.0
ClawScan security
Step Asr · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 1, 2026, 7:31 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it transcribes audio via the Step (StepFun) ASR SSE API, requires only python3 and a StepFun API key, and the code and instructions match that purpose.
- Guidance
- This skill appears to implement exactly what it claims: it base64-encodes a local audio file and sends it to the Step/StepFun ASR endpoint using the STEPFUN_API_KEY. Before installing, consider: (1) Privacy—audio you transcribe is uploaded to StepFun, so avoid sending sensitive audio unless you trust the service and key; (2) API key handling—store the STEPFUN_API_KEY securely and avoid hardcoding it; (3) Resource use—the script reads the entire file into memory (may be large for long audio); (4) Review network access—the script contacts api.stepfun.com, which matches the description; (5) If you need different behavior (streaming chunks from disk rather than single large upload), inspect/modify the script. Overall the skill is coherent with its stated purpose.
Review Dimensions
- Purpose & Capability
- okName/description, required env var (STEPFUN_API_KEY), declared primary credential, and the network endpoint in the code (https://api.stepfun.com/v1/audio/asr/sse) all align with a Step/StepFun ASR client.
- Instruction Scope
- okSKILL.md instructs running the included Python script to read a local audio file and send it to the Step ASR API; the runtime instructions and script only read the specified audio file, optional output path, and the declared API key. There are no instructions to read unrelated files or credentials.
- Install Mechanism
- okNo install step is provided (instruction-only) and a single small Python script is included; nothing is downloaded from untrusted URLs and no archives are extracted.
- Credentials
- okOnly STEPFUN_API_KEY is required and used as the Authorization header. No other secrets, unrelated credentials, or config paths are requested or accessed.
- Persistence & Privilege
- okSkill is not always-enabled and does not modify other skills or system-wide settings. It runs on-demand and does not request persistent elevated privileges.