Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description promise cloud ASR (volcano/siliconflow/local) and Feishu sync; the declared env vars (VOLCANO_API_KEY, FEISHU_APP_ID, FEISHU_APP_SECRET) align with that purpose. However, the provided script only performs a local, mocked transcription and returns a simulated Feishu URL — it does not call any ASR or Feishu APIs. This mismatch suggests the integration is unimplemented or incomplete.
Instruction Scope
SKILL.md directs the agent to obtain an audio path/link and call scripts/meeting_minutes.py. The script operates only on a local file path, checks existence and writes a local markdown file; it does not process remote links or read other system files. SKILL.md claims support for cloud recordings/links and platform-specific inputs (飞书妙记/腾讯会议), but the runtime handler and script do not implement link fetching or platform-specific logic.
Install Mechanism
There is no install spec; SKILL.md lists simple pip installs (requests, pydub, optional faster-whisper). These are expected for the stated functionality and do not pull code from untrusted URLs or run archive extraction. No high-risk install behavior detected.
Credentials
Requested environment variables (ASR_PROVIDER, VOLCANO_API_KEY, FEISHU_APP_ID, FEISHU_APP_SECRET) are reasonable for a skill that integrates with cloud ASR and Feishu. But the shipped script does not read or use these variables — requiring them without using them is disproportionate and may be a placeholder for future network calls. Treat API keys as sensitive until you confirm they are actually used and needed.
Persistence & Privilege
The skill is not always-enabled and does not request elevated/persistent system privileges. It writes output files under the current working directory but does not modify other skills or global agent config.
What to consider before installing
This skill claims cloud ASR and Feishu sync and asks for API keys, but the included Python script currently uses mocked transcription and a stubbed Feishu save (no network calls). That means: (1) it is not malicious but it's incomplete — do not provide real API keys until you confirm the skill actually uses them; (2) test it with local audio files first to verify behavior; (3) if you plan to enable cloud ASR or Feishu sync, ask the maintainer for a clear implementation or review updated code to ensure API calls are restricted to the expected endpoints and keys have minimal privileges; (4) note optional dependencies like faster-whisper may require large models and ffmpeg — review resource requirements before installing.Like a lobster shell, security has layers — review code before you run it.
chinesevk977yetwfas6etk6qmapqnnyah8509hflatestvk977yetwfas6etk6qmapqnnyah8509hfmeetingvk977yetwfas6etk6qmapqnnyah8509hfproductivityvk977yetwfas6etk6qmapqnnyah8509hftranscriptionvk977yetwfas6etk6qmapqnnyah8509hf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.