speech-recognition
v1.0.1通用语音识别 Skill。支持多种音频格式(ogg/mp3/wav/m4a),使用硅基流动 SenseVoice API 进行语音转文字。当用户发送语音消息、音频文件,或需要转录音频时触发。
⭐ 2· 3.2k·24 current·24 all-time
by@demo112
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill description says it uses SiliconFlow (SenseVoice) for transcription, which legitimately requires an API key and network access. However, the registry metadata lists no required environment variables or config paths while the SKILL.md explicitly instructs storing an API key in ~/.openclaw/openclaw.json and/or setting SILICONFLOW_API_KEY. The missing declaration of credentials/config is an incoherence: a transcription skill would reasonably need a provider API key, but the skill metadata should have declared that.
Instruction Scope
SKILL.md includes concrete runtime actions: convert audio with ffmpeg to /tmp/audio.mp3, read an API key from ~/.openclaw/openclaw.json or the SILICONFLOW_API_KEY environment variable, and POST the audio to https://api.siliconflow.cn/v1/audio/transcriptions. Uploading audio to a third-party API matches the stated purpose, but the instructions also reference a local agent config path (~/.openclaw/openclaw.json) and an env var that are not declared in the skill metadata — this is scope creep / undeclared access to local configuration.
Install Mechanism
The skill is instruction-only (no install spec, no code files), which is low risk. However, the instructions rely on ffmpeg being installed and available; the skill metadata does not declare this required binary. That omission is an inconsistency (operational requirement not surfaced).
Credentials
The SKILL.md requires an API key (example keys: sk-xxx) and suggests storing it in ~/.openclaw/openclaw.json or in SILICONFLOW_API_KEY, but requires.env is empty in the metadata. Requesting API credentials is proportionate to the task, but failing to declare them is a red flag because the agent/platform and the user won't be prompted or audited for that secret access. The skill will transmit user audio to a third-party endpoint (privacy implication) — expected for cloud transcription but should be explicit in metadata.
Persistence & Privilege
The skill does not request always:true, does not include an install step that writes persistent binaries, and does not claim to modify other skills or system-wide settings. It merely instructs how to format calls and where to put an API key; that is within normal bounds.
What to consider before installing
Before installing: (1) Expect audio to be uploaded to https://api.siliconflow.cn — do not send sensitive audio unless you trust that service. (2) The SKILL.md expects you to provide an API key (example: sk-xxx) either in ~/.openclaw/openclaw.json or via the SILICONFLOW_API_KEY env var; the skill metadata did not declare this — verify how you will supply and protect that key. (3) Ensure ffmpeg is installed and available on PATH (the skill's instructions use ffmpeg but the metadata doesn't state this). (4) Prefer storing provider keys in a secure secret store rather than plaintext files. (5) If you need higher assurance, ask the publisher to update the skill metadata to list required env var(s) and binaries, and to provide a provenance/homepage for siliconflow and the skill repository before using it in production.Like a lobster shell, security has layers — review code before you run it.
latestvk974nrpwnvsvp3e21c5g829hbn81te81
License
MIT-0
Free to use, modify, and redistribute. No attribution required.