ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Byted Las Asr Pro

v1.0.0

Transcribe audio files to text using speech recognition. Use this skill when user needs to: - Convert audio/video to text (speech-to-text) - Transcribe recor...

0· 66·0 current·0 all-time
by@volcengine-skills
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code and SKILL.md implement an async submit/poll speech-to-text client pointing at operator.las.<region>.volces.com, which matches the skill's described purpose. However, the registry metadata lists no required env vars while SKILL.md and the code require LAS_API_KEY (and optionally LAS_API_BASE / LAS_REGION). This metadata omission is inconsistent and could mislead users about needed secrets.
Instruction Scope
Runtime instructions and the included script are narrowly scoped to: build a JSON payload, POST to submit and poll endpoints, validate audio URLs (including DNS resolution and private-IP blocking), and read LAS_API_KEY from env or a local env.sh. The skill does not attempt to read arbitrary system files or exfiltrate data to unexpected endpoints beyond the documented service domain.
Install Mechanism
There is no install spec (no downloads), which reduces risk. The package includes a Python script that depends on the 'requests' module; the skill does not declare that runtime dependency in metadata. No external archives or non-standard install steps are used.
!
Credentials
The code legitimately needs LAS_API_KEY to call the service (and will also read LAS_REGION, REGION, region, and optionally LAS_API_BASE) but the registry metadata lists no required environment variables. The skill will read env.sh in the current working directory to extract LAS_API_KEY if present — this is proportionate to the task but the metadata omission is a likely oversight that could hide the need to provide a secret.
Persistence & Privilege
The skill does not request persistent/always-on presence, does not modify other skills or global agent configuration, and uses normal user-space operations only.
What to consider before installing
This skill implements a submit/poll transcription client that needs an API key (LAS_API_KEY) even though the registry metadata does not declare it. Before installing: (1) confirm you trust the service domain (operator.las.<region>.volces.com) and the publisher; (2) be prepared to supply LAS_API_KEY (or create a dedicated/limited key) and optionally LAS_REGION/LAS_API_BASE; (3) inspect any env.sh file you place in the working directory (it will be parsed for LAS_API_KEY); (4) note the script uses Python 'requests' (ensure the runtime has it); (5) if you need stronger assurance, ask the publisher to fix the metadata to list required env vars and provide a signed/hosted release or official homepage. The inconsistencies are likely sloppy metadata, not overtly malicious, but verify the endpoint and key handling before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97286ad1kzyyyacmsbk4b2aj183kvvm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments