Back to plugin

Security audit

SoundAI ASR Provider

Security checks across malware telemetry and agentic risk

Overview

The skill's code, provider metadata, and SKILL.md consistently implement a SoundAI ASR provider that sends audio to SoundAI's cloud API and requires a SoundAI API key — nothing in the package appears to do unrelated or hidden actions.

This skill appears to do exactly what it says: send audio to SoundAI and return a transcription. Before installing: (1) Confirm you are willing to send audio to SoundAI's default endpoint (https://openapi-gateway-azero.soundai.com) and review SoundAI's privacy/retention policies. (2) Provide only a least-privilege SoundAI API key and verify that openclaw.plugin.json's SOUNDAI_API_KEY is the intended credential (the registry metadata omitted this, which is likely a packaging oversight). (3) Be cautious if you supply a custom baseUrl — the plugin will allow contacting that URL (including private network addresses) for transcription requests. If any of these details are unacceptable, do not install or restrict network access accordingly.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.