ClawHub

Volcengine STT

v0.2.1

Transcribe audio to text using Volcano Engine (Volcengine/ARK) speech-to-text APIs. Use when the user wants to replace Whisper/OpenAI STT with Volcengine, tr...

2· 470·5 current·5 all-time
byReed@reed1898
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md and the skill name promise Volcengine (ARK) STT and list ARK_API_KEY / ARK_BASE_URL, but the runnable script posts base64 audio to openspeech.bytedance.com endpoints and uses VOLC_APP_ID / VOLC_ACCESS_TOKEN / VOLC_RESOURCE_ID headers. This is a clear mismatch: either the README is wrong or the script implements a different provider.
!
Instruction Scope
The runtime script will read credentials from environment variables or from ~/.openclaw/openclaw.json (via jq), base64-encode local audio, and upload it to external endpoints (openspeech.bytedance.com). SKILL.md does not document the config-file fallback or the actual network endpoints used, so users may be unaware their audio and local config will be transmitted to Bytedance servers.
Install Mechanism
There is no install spec (instruction-only with an included script). No additional packages are automatically downloaded or extracted. The script requires common system tools (curl, jq, base64, uuidgen or /proc UUID) but does not perform external installs.
!
Credentials
SKILL.md declares ARK_API_KEY (and ARK_* env vars) as required, but the script actually requires VOLC_APP_ID and VOLC_ACCESS_TOKEN (and optionally VOLC_RESOURCE_ID or values from ~/.openclaw/openclaw.json). The skill therefore asks for credentials that don't match the code, and it also accesses a user config file path not mentioned in the docs.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not modify other skills or system-wide settings. Its only elevated access is reading a local OpenClaw config fallback file (~/.openclaw/openclaw.json) to obtain credentials.
What to consider before installing
Do not assume this skill uses Volcengine/ARK based on its name or SKILL.md. The bundled script actually uploads audio to openspeech.bytedance.com and expects VOLC_APP_ID / VOLC_ACCESS_TOKEN (or reads ~/.openclaw/openclaw.json) — a mismatch that may be accidental or intentional. Before installing: 1) Ask the publisher which provider the skill is intended for and request corrected docs or code. 2) If you must test it, run the script in a sandbox or isolated account and with non-sensitive test audio. 3) Don't provide production credentials until the provider/credential mapping is clarified; if you already supplied keys, consider rotating them. 4) If you expect Volcengine/ARK, either obtain a version that actually calls the ARK endpoints or modify the script accordingly. 5) Be aware the script transmits local audio and may read OpenClaw config for secrets — only run it where you trust that destination and have reviewed the code.

Like a lobster shell, security has layers — review code before you run it.

latestvk971v5t9t369xb20kj55548qf18245br

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments