ClawHub

Azure Ai Voicelive Py

v0.1.0

Build real-time voice AI applications using Azure AI Voice Live SDK (azure-ai-voicelive). Use this skill when creating Python applications that need real-time bidirectional audio communication with Azure AI, including voice assistants, voice-enabled chatbots, real-time speech-to-speech translation, voice-driven avatars, or any WebSocket-based audio streaming with AI models. Supports Server VAD (Voice Activity Detection), turn-based conversation, function calling, MCP tools, avatar integration, and transcription.

2· 2k·0 current·0 all-time
by@thegovind
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes building real-time voice apps with Azure's Voice Live SDK (logical and coherent). However the registry metadata declares no required environment variables or primary credential even though the instructions explicitly require AZURE_COGNITIVE_SERVICES_ENDPOINT and optionally AZURE_COGNITIVE_SERVICES_KEY and recommend DefaultAzureCredential. The missing declared credentials is disproportionate to the documented purpose (likely an oversight, but it is an incoherence).
!
Instruction Scope
Runtime instructions instruct the agent to read environment variables (endpoint, optional API key) and to use DefaultAzureCredential which may surface additional Azure credentials (AZURE_CLIENT_ID/TENANT_ID/CLIENT_SECRET, Azure CLI tokens, managed identity). The examples also read local audio files and stream microphone audio (expected for the stated purpose). The problem is the instructions access credentials and auth surfaces that are not declared in the skill metadata, granting the agent potential access to broader Azure credentials than the registry advertises.
Install Mechanism
This is an instruction-only skill with no install spec or shipped code — lowest install risk. The SKILL.md recommends installing pip packages (azure-ai-voicelive, aiohttp, azure-identity), which is expected for this SDK and would be a normal developer dependency, but those installs would happen outside the skill bundle.
!
Credentials
The skill's documentation requires AZURE_COGNITIVE_SERVICES_ENDPOINT and optionally AZURE_COGNITIVE_SERVICES_KEY, and suggests DefaultAzureCredential (which uses other Azure auth sources). Yet the skill metadata lists no required env vars or primary credential. Requesting (via instructions) broad Azure credential sources without declaring them is disproportionate and opaque; it could cause unexpected use of existing Azure credentials on the host.
Persistence & Privilege
always:false and no install code or persistent modifications are requested. The skill is user-invocable and can be invoked autonomously (platform default), but there's no evidence it requests persistent elevated privileges or modifies other skills.
What to consider before installing
This skill appears to be legitimate documentation for using Azure's Voice Live SDK, but the package metadata does not declare the environment variables and credential access that the SKILL.md actually requires. Before installing or running code derived from this skill: - Treat the mismatch as a red flag: confirm with the skill author/source why required env vars and credentials are not declared. Ask for an authoritative homepage or repository. - Do not expose broad Azure credentials (AZURE_CLIENT_ID/SECRET, Azure CLI tokens, or subscription-level keys) to untrusted code. Prefer creating a dedicated Azure resource with minimal permissions and a short-lived credential for testing. - Be aware DefaultAzureCredential will attempt multiple auth methods (env vars, managed identity, Azure CLI cache) and could cause the agent to use existing credentials on the host — run in an isolated environment if you want to limit exposure. - Verify packages (azure-ai-voicelive, azure-identity) come from a trusted source (PyPI/GitHub) before pip installing. If you cannot validate the source or get corrected metadata, treat the skill as suspicious and avoid giving it credentials or running it in a privileged environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk970x16t5gh9t4thns5f3zvad9809ctn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments