Doubao Asr
ReviewAudited by ClawScan on May 10, 2026.
Overview
The transcription feature appears legitimate, but the package includes an unrelated reference prompt that could redirect an agent into modifying the skill, and it also uploads audio to Volcengine using cloud credentials.
Before installing, remove or ignore the unrelated development-reference file, use dedicated Volcengine credentials and a dedicated TOS bucket, and set a cleanup policy for uploaded recordings. The core ASR workflow appears aligned with the stated purpose, but it is not a purely local transcription tool.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent reads this reference as authoritative, it may start editing skill files or staging changes instead of only helping with transcription.
This reference file contains imperative instructions for an agent to modify the skill repository, which is unrelated to the skill's runtime purpose of transcribing audio.
「请消化这些信息并执行改进」 ... 「具体迭代任务(请执行)」 ... 「改动后需写 task log」 ... 「显式 stage 文件」
Remove this development-planning reference from the released skill, or clearly move it outside the runtime skill package so the agent cannot treat it as task guidance.
Anyone using these credentials can potentially interact with the configured Volcengine speech service and TOS bucket according to the permissions granted.
The skill requires Volcengine API and IAM/TOS credentials. This is expected for calling the speech API and uploading audio, but it is still privileged cloud-account access.
`VOLCENGINE_API_KEY` | Yes ... `VOLCENGINE_ACCESS_KEY_ID` | Yes ... `VOLCENGINE_SECRET_ACCESS_KEY` | Yes ... `VOLCENGINE_TOS_BUCKET` | Yes ...
Use a dedicated IAM user and a dedicated TOS bucket for this skill, keep permissions narrow, and rotate or revoke the keys if no longer needed.
Recordings may contain private conversations and will be uploaded to cloud infrastructure for transcription.
The transcription workflow sends selected audio to Volcengine object storage and then provides a presigned URL to the Doubao ASR API. This is purpose-aligned but is a sensitive data flow.
The Doubao API requires a publicly accessible URL. This script uploads audio to Volcengine TOS ... get_url = _tos_sign_v4("GET", url_raw, ak, sk, TOS_REGION, expires=3600)Only transcribe recordings you are allowed to upload, use a dedicated bucket, and configure lifecycle deletion or manually remove uploaded audio objects after transcription.