H-ear
v1.1.1H-ear.world transforms sound into an actionable, meaningful translation layer of the world around you. Describe, share and act upon audio as a spatiotemporal...
⭐ 1· 370·0 current·0 all-time
byPaul Day@badajoz95
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match an audio-classification skill and the required HEAR_API_KEY/HEAR_ENV are appropriate. However, the code exposes additional capabilities (audio capture from RTSP, local ffmpeg usage, LISTEN_RTSP_URL environment use) that are not declared in the SKILL.md 'requires' bins or the command list. The CLI includes a 'capture/listen' command that is absent from SKILL.md, indicating a mismatch between claimed capabilities and actual functionality.
Instruction Scope
SKILL.md describes webhook registration being handled automatically by the gateway (no external endpoint required), but the code's alert registration (alertOnCommand) requires a callbackUrl and will throw if none is provided. The CLI and code also read process.env.LISTEN_RTSP_URL and call spawnSync('ffmpeg'), which are not declared in SKILL.md. These deviations expand what the agent may read/execute versus what the instructions promise.
Install Mechanism
There is no install spec (instruction-only), which is lower risk. Yet the skill package includes full source/CLI files and a package.json declaring a dependency on @h-ear/core. The presence of executable code but no install instructions is an inconsistency users should notice (it may be packaged for local use or published elsewhere).
Credentials
The declared required variables (HEAR_API_KEY, HEAR_ENV; optional HEAR_BEARER_TOKEN, HEAR_BASE_URL) are proportionate to an API client. However, the code also expects LISTEN_RTSP_URL for capture and uses HEAR_BEARER_TOKEN implicitly — LISTEN_RTSP_URL is not declared in SKILL.md requires, so the skill will read an extra env var if the capture feature is used.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide settings. Model invocation is allowed (default), which is normal. There is no evidence of persistent/system-wide privileges being requested.
What to consider before installing
Before installing, consider the following: (1) The SKILL.md and the shipped code disagree — the code contains a 'capture/listen' command that records from RTSP using the local ffmpeg binary, but SKILL.md does not declare ffmpeg as a required binary. If you plan to use capture, ffmpeg must be present on the host and the skill will read LISTEN_RTSP_URL. (2) Webhook behavior differs: SKILL.md claims the gateway manages callbacks automatically, but alert registration in code requires an explicit callbackUrl and will error if not provided. Confirm how webhook callbacks are intended to be registered and whether you must supply callback URLs that could expose your channel endpoints. (3) The skill asks for your HEAR_API_KEY (primary credential) — only provide this if you trust the H-ear service and the upstream package @h-ear/core; consider creating a scoped or limited key for testing. (4) Because source files are included but there is no install spec, verify the provenance (GitHub repo or package registry), and review or pin the @h-ear/core dependency before granting credentials. If you need to proceed safely: ask the publisher to (a) update SKILL.md to list the capture command and required binaries, (b) clarify how webhook registration works and whether the gateway truly avoids exposing external endpoints, and (c) publish a clear install/release URL or package version for audit. If these questions are not satisfactorily answered, do not install or do so only with a limited/test API key and in an isolated environment.src/cli.ts:62
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
EnvHEAR_API_KEY, HEAR_ENV
Primary envHEAR_API_KEY
latest
Paul Day@badajoz95
DownloadH-ear — Sound Intelligence for AI Agents
H-ear.world transforms sound into an actionable, meaningful translation layer of the world around you. Describe, share and act upon audio as a spatiotemporal annotated soundscape that empowers you, your business and your AI flow.
Commands
| Command | Description |
|---|---|
classify <url> | Classify audio from a URL. Returns detected sound classes with confidence scores. |
classify batch <url1> <url2>... | Batch classify multiple audio URLs. Results delivered asynchronously via the gateway's webhook endpoint. |
sounds [search] | List supported sound classes (521+ across 3 taxonomies). |
usage | Show API usage statistics (minutes, calls, quota). |
jobs [last N] | List recent classification jobs with status. |
job <id> | Show detailed job results with classifications. |
alerts on <sound> | Enable real-time alerts for a sound class. Notifications delivered to your connected channel via the gateway. |
alerts off <sound> | Disable alerts for a sound class. |
health | Check API status. |
Setup
| Variable | Required | Default | Description |
|---|---|---|---|
HEAR_API_KEY | Yes* | H-ear Enterprise API key (ncm_sk_...). Required unless HEAR_BEARER_TOKEN is set. Get one at h-ear.world. | |
HEAR_BEARER_TOKEN | Yes* | OAuth bearer token. Alternative to HEAR_API_KEY — one of the two must be set. | |
HEAR_ENV | Yes | Target environment: dev, staging, or prod. | |
HEAR_BASE_URL | No | Per-environment default | Override API base URL (advanced). |
*One of HEAR_API_KEY or HEAR_BEARER_TOKEN is required.
Webhook Delivery
Batch classification (classify batch) and sound alerts (alerts on) use webhook callbacks for asynchronous result delivery. The OpenClaw gateway manages webhook endpoints automatically -- the skill registers callbacks against the gateway's own webhook receiver, which routes results back to your connected messaging channel. No external endpoint configuration is required by the user.
Webhook events: job.completed, job.failed, batch.completed, quota.warning.
Comments
Loading comments...