ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Audio Intelligence Mcp

v1.0.0

Transcribe, summarize, and analyze audio files using local Whisper + Qwen. Returns transcript, segments, and action items.

0· 15·0 current·0 all-time
by@ntriq-gh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description says local Whisper + Qwen inference, but the SKILL.md usage examples call out to https://x402.ntriq.co.kr (POST /audio-intel and /services) and mention x402 micropayments. That contradicts the 'zero external API calls' claim. The example payload uses image_url/doc.png despite the skill being for audio, which is another inconsistency.
!
Instruction Scope
The instructions explicitly instruct network calls (curl to an external host) and reference auto-pay behavior (USDC on Base). That means user data would be sent externally and payments may occur — actions not reflected in the skill metadata or requirements. There are no instructions for performing local inference despite the 'local' claim.
Install Mechanism
There is no install spec and no code files (instruction-only), so nothing is automatically written to disk or installed by the skill package itself. The primary risk comes from the external service the SKILL.md points to, not from an install mechanism.
!
Credentials
The SKILL.md suggests auto-payments and use of an external service but the skill declares no required environment variables, credentials, or wallet keys. If the agent is expected to make micropayments it would need signing credentials (wallet private key or payment token) — their absence in the metadata is a mismatch and a red flag.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable; autonomous invocation is allowed (default) which is normal. However, autonomous network calls combined with payment behavior increase risk if the agent is allowed to act without oversight — consider restricting autonomous use until clarified.
What to consider before installing
Do not install or grant payment/wallet credentials yet. Ask the publisher to clarify: (1) where inference actually runs (local or remote), (2) why the metadata declares zero external calls while the SKILL.md calls an external API, (3) whether the agent will auto-pay and what credentials it needs. If you must test, do so in a sandboxed environment with no access to real wallets or sensitive data, monitor network traffic to https://x402.ntriq.co.kr, and request the full implementation or source code for local inference to verify the 'local' claim. Avoid providing private keys, API tokens, or production data until these inconsistencies are resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b87ac9sd90n8h7b7ev9t42n84cbpy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments