Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
fun-voice-type
v2.0.0一个语音输入法插件。它基于阿里云FunASR实时语音识别技术,允许用户通过长按快捷键(Right Option键)直接将语音转换为文字并“打”在当前光标所在的任何输入框中。此外,还能将语音翻译为多种语言(例:中英日韩)。
⭐ 0· 96·1 current·1 all-time
byYuzhong WU@yzwu2017
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (voice input + translation via FunASR) matches the code and instructions: it records microphone audio, sends frames to DashScope FunASR, optionally sends recognized text to DashScope Generation (qwen-plus) for translation, and types results into the active input. This capability set is coherent for the stated purpose.
Instruction Scope
SKILL.md instructs installing portaudio and several Python packages and to set DASHSCOPE_API_KEY; it also asks the user to grant Accessibility/Input Monitoring and Microphone to the terminal used to run the script. The runtime instructions and code access the environment variable DASHSCOPE_API_KEY, but the package metadata declared 'Required env vars: none' — the instructions therefore access an env var not declared in metadata.
Install Mechanism
There is no install spec (instruction-only with an included script). Required system and Python deps are documented in SKILL.md. No downloads from untrusted URLs or archive extraction are used.
Credentials
The code requires a DashScope API key (DASHSCOPE_API_KEY) to call ASR and generation APIs, which is appropriate for cloud ASR/LLM usage — but the registry metadata does not declare this required env var or a primary credential. The missing declaration is an inconsistency the user should note. No other unrelated credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges beyond the macOS accessibility/input monitoring grants required to listen to global keys and simulate typing. It does simulate keystrokes into any focused input (expected for an input method), which gives it potential to inject or exfiltrate sensitive text if used with sensitive inputs.
What to consider before installing
What to consider before installing:
- The code will send microphone audio (via FunASR) and recognized text to DashScope cloud services, and may send recognized text to the qwen-plus model for translation. Do not use it for sensitive audio/text unless you trust DashScope and your API key.
- You must set DASHSCOPE_API_KEY in your environment for full functionality, but that env var is not declared in the skill registry metadata — verify this discrepancy with the publisher before providing a real API key.
- The script requires Accessibility/Input Monitoring permission for the terminal you run it from and will simulate typing into whatever input has focus. Granting those permissions to a terminal is powerful: consider running in a dedicated account or VM, and avoid using the tool while focused on password fields, banking apps, or other sensitive inputs.
- The PKG is small and readable; if you can, review the included script yourself (or have someone you trust do so). Confirm network destinations (dashscope endpoints) and consider monitoring outbound network traffic the first time you run it.
- If you need higher assurance: ask the publisher for a verified source/homepage, or request that the registry metadata be updated to declare DASHSCOPE_API_KEY as a required env var and to provide a signed release or provenance information.Like a lobster shell, security has layers — review code before you run it.
latestvk97d3krv79panej9x8zt38xwfh83a809
License
MIT-0
Free to use, modify, and redistribute. No attribution required.