Skillv1.0.0

ClawScan security

Sense Audio · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 13, 2026, 1:23 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: This is an internally consistent instruction-only integration guide for SenseAudio's API endpoints and realtime flows; it asks for no unexpected system access or unrelated credentials, but the skill package has no listed source/homepage so you may want to verify it against the vendor docs before trusting examples with real keys or production data.
Guidance: This appears to be a reasonable integration guide for SenseAudio APIs, but before using it with real credentials do the following: (1) Verify the api.senseaudio.cn endpoints and parameter details against the official SenseAudio vendor documentation (the skill has no published homepage/source), (2) never paste real API keys into chat; use environment variables or a secure secret store, (3) test examples with throwaway keys or a sandbox first, especially for uploads (media retention is noted in docs), (4) confirm cloning/voice usage terms and legal constraints before uploading user voice data, and (5) implement rate limiting, bounded retries, and structured logging as recommended to avoid leaking tokens in logs or telemetry.

Purpose & Capability: okThe name/description match the content: the files provide TTS, ASR, realtime agent, video, and voice-clone integration guidance for api.senseaudio.cn and wss://api.senseaudio.cn. There are no unrelated environment variables, binaries, or capabilities requested.
Instruction Scope: okSKILL.md and the reference files limit actions to building requests, parsing responses, and handling retries/errors for the SenseAudio APIs. They instruct use of Authorization: Bearer <API_KEY>, hex decoding of returned audio, and WebSocket/SSE flows — all expected for this integration and not requesting unrelated files, system state, or external endpoints beyond the documented API host.
Install Mechanism: okNo install spec or code files — the skill is instruction-only, which minimizes disk/write risk.
Credentials: okThe docs advise storing API keys in environment variables but the skill declares no required credentials. That is proportional: the integration legitimately needs an API key for api.senseaudio.cn and no unrelated secrets are requested.
Persistence & Privilege: okalways is false, there is no installation or persistent agent modification requested. The skill does not request long-term agent presence or system-wide config changes.