ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawBB

v1.1.5

ClawBB — Free macOS voice-to-text built for Vibe Coding. Hold Globe key, speak, text appears at your cursor. Powered by Google Gemini LLM. Apple Notarized.

0· 56·0 current·0 all-time
by@dyz2102
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim voice-to-text powered by Google Gemini and the skill requires GEMINI_API_KEY and a local config path (~/Tools/xiabb/.api-key). Those requirements are directly related and proportionate to a Gemini-based transcription client.
Instruction Scope
SKILL.md only instructs how to download or build the macOS app, how to provide the GEMINI_API_KEY (env or local file), and notes the app will request Accessibility and Microphone permissions and send audio to Gemini. There are no instructions to read unrelated files, exfiltrate other secrets, or call unexpected external endpoints.
Install Mechanism
The skill is instruction-only (no install spec). It recommends curl to download a DMG from a GitHub Releases URL and provides a SHA‑256 checksum to verify. GitHub Releases is a standard host and a checksum is provided, but downloading and running a DMG is inherently higher risk than a pure instruction-only skill — verify signature/checksum and the upstream repo before opening.
Credentials
Only GEMINI_API_KEY is declared as required (primary credential) and the config path is where that key is stored locally. The requested credential is appropriate for a client that sends audio to the Gemini API.
Persistence & Privilege
always is false; the skill does not request permanent platform-level inclusion or modifications to other skills. The app will request standard macOS permissions (Accessibility, Microphone), which are expected for this functionality.
Assessment
This skill appears internally consistent, but take standard precautions before installing: 1) Verify the GitHub repository (https://github.com/dyz2102/xiabb) and the DMG checksum/signature match the release; 2) Prefer building from source if you want to fully audit the code (SKILL.md includes build steps); 3) Store and protect your GEMINI_API_KEY (it will be saved at ~/Tools/xiabb/.api-key unless you choose env); 4) Be aware audio is sent to Google Gemini — review Google's privacy policy before use; 5) Confirm the app's notarization/signer in Gatekeeper when first opening. If any of these checks fail or the repo/release doesn't match the published claims, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk976mt0byszvdb1pfd2cbtzen983grdd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvGEMINI_API_KEY
Config~/Tools/xiabb/.api-key
Primary envGEMINI_API_KEY

SKILL.md

ClawBB (虾BB)

Hold Globe key. Speak. Text appears. Free voice-to-text built for Vibe Coding.

  • 🆓 Free forever — Google Gemini free tier, 250 transcriptions/day
  • 🌏 Bilingual — Mixed Chinese + English, perfect punctuation for AI prompts
  • 🔴 Live streaming preview — See text appear as you speak (Gemini Live API)
  • 341KB pure Swift — Zero dependencies, macOS native
  • 🧠 LLM engine — Not Whisper ASR. Gemini understands meaning, not just sound.
  • 📖 Open source — MIT License, Apple Notarized

Install

Download the Apple Notarized DMG (app release v1.1.3): from GitHub Releases:

curl -L -o /tmp/XiaBB.dmg "https://github.com/dyz2102/xiabb/releases/download/v1.1.3/XiaBB-v1.1.3-macOS-arm64.dmg"

Verify checksum before opening:

echo "ce53a5b0ccc3b0993b284686ab05716f3e616969f98395d1baf8aec083f8d784  /tmp/XiaBB.dmg" | shasum -a 256 -c

Then open the DMG and drag XiaBB.app to Applications:

open /tmp/XiaBB.dmg

The app is signed with Developer ID and Apple Notarized — no Gatekeeper warnings.

Build from source (optional)

If you prefer to inspect and compile yourself:

git clone https://github.com/dyz2102/xiabb.git /tmp/xiabb-build
cd /tmp/xiabb-build
# Review install.sh and native/main.swift before running
cat install.sh
bash install.sh

Requires Xcode Command Line Tools (xcode-select --install).

Setup

Gemini API Key

Get a free key at https://aistudio.google.com/apikey, then configure:

# Recommended: environment variable
export GEMINI_API_KEY="your-key-here"

Or configure via the app's menu bar → "Configure Gemini API Key...".

The key is stored locally at ~/Tools/xiabb/.api-key (chmod 600 recommended).

Permissions

On first launch, macOS will prompt for:

  • Accessibility: Required for Globe key detection (CGEventTap)
  • Microphone: Required for voice recording

Both are standard macOS permissions for a voice input app. Grant them in System Settings → Privacy & Security.

Usage

ActionResult
Hold 🌐 Globe keyStart recording, HUD shows live preview
Release 🌐 Globe keyTranscription pastes at cursor
Click HUD 📋Copy last result

Security & Privacy

  • Open source: Full source at https://github.com/dyz2102/xiabb — review before use
  • Apple Notarized: Signed with Developer ID, verified by Apple
  • No account required: No signup, no tracking, no telemetry
  • Audio processing: Audio is sent to Google Gemini API for transcription. Review Google's privacy policy if this concerns you.
  • Local storage only: API key and config stored locally, never transmitted except to Gemini API

Links

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…