ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Imsg Media

v1.0.1

Fetch iMessage/Messages.app attachments (voice memos and images) and process them — transcribe audio via Silicon Flow ASR (SenseVoiceSmall), and analyze imag...

0· 301·0 current·0 all-time
by@tankyhsu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match what the files do: the script uses the 'imsg' CLI to locate iMessage attachments and sends audio to Silicon Flow for transcription. Required binary (imsg) and env var (SILICON_FLOW_KEY) are expected for this functionality. Minor inconsistency: SKILL.md asks to cd into '~/.openclaw/skills/imsg-voice-transcribe' while the registry slug is 'imsg-media' (directory/name mismatch), but this is an operational nit, not a functional mismatch.
Instruction Scope
Runtime instructions and the script operate within the declared scope: they read Messages attachments via the imsg CLI, classify files as audio/image, upload audio to the declared Silicon Flow API, and instruct the agent to use its vision model for images. The skill explicitly requires Full Disk Access so it can read ~/Library/Messages attachments; that is necessary but also grants broad access to message contents (see guidance). The script only reads the specified env file (~/.openclaw/.env) for the API key and does not attempt to read unrelated system config.
Install Mechanism
This is instruction-only with one included script; there is no automated install or remote download. The only external install the SKILL.md recommends is 'npm install -g imsg' for the imsg CLI, which is reasonable and expected.
!
Credentials
The single required credential (SILICON_FLOW_KEY) is appropriate for the declared cloud transcription service, but the skill requires Full Disk Access to read Messages data — a high privilege that exposes all message attachments and metadata. Additionally audio files are uploaded to https://api.siliconflow.cn, so granting the API key and FDA has privacy/egress implications. The script only reads the stated ~/.openclaw/.env file for the key and supports a one-off --api-key override (good), but users should confirm they trust the external ASR provider before storing a long‑lived key.
Persistence & Privilege
The skill does not request always:true, does not modify other skills' configs, and has no install-time persistent service. It suggests adding the API key to ~/.openclaw/.env for convenience, which is normal but increases persistent credential exposure if used.
Assessment
This skill does what it says — it locates iMessage attachments (requires the imsg CLI) and uploads audio files to the Silicon Flow ASR endpoint for transcription. Before installing: (1) understand that you must grant Full Disk Access to the process running OpenClaw/your terminal — that allows reading all Messages data and attachments; (2) review Silicon Flow's privacy/security policy because audio will be sent to api.siliconflow.cn; (3) prefer using a one-time --api-key override instead of putting a long-lived key in ~/.openclaw/.env if you want less persistence; (4) verify the imsg CLI you install is from a trusted source; (5) note the small filename/slug mismatch in the README (cd path) and check the skill directory name before running. If you are uncomfortable granting FDA or sending audio to an external service, do not install or run this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d403n0vna3hgyja6zwq81gn820506

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎙️ Clawdis
Binsimsg
EnvSILICON_FLOW_KEY

SKILL.md

imsg-media

Full iMessage multimedia pipeline:

  • 🎙️ Voice memo → text via Silicon Flow ASR (SenseVoiceSmall, cloud, no local model)
  • 🖼️ Image → description/OCR via agent's built-in vision model

Requirements

macOS permissions

  • Full Disk Access must be granted to the process running OpenClaw
  • Settings → Privacy & Security → Full Disk Access → add your terminal/app
  • Without this, imsg cannot read ~/Library/Messages/chat.db and will return permissionDenied

API key (audio only)

  • Silicon Flow API key — sign up free at https://siliconflow.cn
  • Long-term use: add to ~/.openclaw/.env: SILICON_FLOW_KEY=sk-...
  • Quick test / override: pass --api-key sk-... directly to the script
  • Image analysis does not require this key

CLI dependency

  • imsg CLI: npm install -g imsg

Trigger conditions

Activate this skill when:

  • Incoming message text contains the attachment placeholder
  • User says "语音转文字", "转写", "识别语音", "transcribe"
  • User says "看图", "识别图片", "读图", "OCR", "截图里写的什么"
  • User references a photo/audio/file they just sent via iMessage

Decision flow

Attachment detected?
├── Audio (.m4a / .caf / .wav / .mp3)  → transcribe via Silicon Flow ASR
├── Image (.jpg / .png / .heic / .gif) → read with vision model
└── Unknown / not downloaded            → increase --limit or ask user to resend

Workflow

Step 1 — Get the sender identifier

Always read from the message envelope:

  • [iMessage sender@example.com ...] → use sender@example.com
  • [SMS +1234567890 ...] → use +1234567890
  • Never hardcode an address

Step 2 — Fetch the attachment

# Run from the skill directory
cd ~/.openclaw/skills/imsg-voice-transcribe

python3 scripts/imsg_voice_transcribe.py fetch \
  --identifier "sender@example.com" \
  --limit 50

Returns JSON with file, type (audio or image), and metadata.

If nothing found, try --limit 100.

Step 3a — Audio: transcribe

# One-liner (fetch + transcribe)
python3 scripts/imsg_voice_transcribe.py auto \
  --identifier "sender@example.com" \
  --limit 50 --raw

# Or transcribe a specific file
python3 scripts/imsg_voice_transcribe.py transcribe \
  --file /path/to/audio.m4a --raw

# Quick test with explicit API key (no env setup needed)
python3 scripts/imsg_voice_transcribe.py transcribe \
  --file /path/to/audio.m4a --api-key sk-... --raw

Step 3b — Image: analyze

After fetch returns an image path (e.g. {"file": "/path/to/photo.jpg", "type": "image"}):

# Example: fetch image from a sender
python3 scripts/imsg_voice_transcribe.py fetch \
  --identifier "sender@example.com" --type image --limit 50
# → {"file": "/Users/.../Messages/Attachments/photo.jpg", "type": "image", ...}

Then in the agent:

  1. If HEIC/HEIF: convert first → sips -s format png "input.heic" --out "output.png"
  2. Open with the read tool → agent vision model processes it
  3. Respond with: what it is, main subject, any text/OCR, notable details

Default image response format:

  • What it is: photo / screenshot / document
  • Main subject: 1–2 sentences
  • Text (OCR): quote key text, or "无明显文字"
  • Details: 3–5 bullets
  • Follow-up: ask if they want OCR / table extraction / comparison / etc.

Supported formats

FormatTypeNotes
.m4aAudioStandard iMessage voice memo
.cafAudioOlder iOS voice memo (AAC in CAF)
.wav .mp3AudioOther sources
.jpg .jpeg .pngImageStandard photos
.heic .heifImageiPhone default — convert to PNG first
.gifImageAnimated or static

Troubleshooting

ErrorCauseFix
permissionDeniedNo Full Disk AccessGrant FDA in System Settings
SILICON_FLOW_KEY not setMissing API keyAdd to ~/.openclaw/.env
No attachments foundLow limit or iCloud not syncedIncrease --limit; ask user to resend
Request timed outNetwork or large fileRetry; check file < 25MB
HEIC not displayingFormat not supported by readConvert with sips first

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…