火一五 ASR 转写与纪要
PassAudited by ClawScan on May 8, 2026.
Overview
This is a coherent transcription and meeting-notes skill, with expected cautions around third-party ASR tools, optional Hugging Face credentials, and optional cloud transcription.
This skill appears safe for its stated purpose. Before installing, be aware that the provided SKILL.md excerpt is truncated, the source is unknown, and the workflow may install large ASR dependencies, download models, use an optional Hugging Face token, and process potentially sensitive recordings or terminal logs. Prefer local transcription for private data, use an isolated Python environment, avoid passing tokens on the command line, and verify output paths before running ffmpeg.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, a chosen output file could be overwritten during conversion.
The helper runs a local ffmpeg command and overwrites the chosen output path with `-y`; this is central to media conversion but is still local command/file-write authority.
ffmpeg -y -i "$1" -vn -acodec libmp3lame -q:a 2 "$2"
Run it only on files you intend to process and choose a new output path or back up important files first.
Installing these packages may download large dependencies and model files from external sources.
The skill directs unpinned third-party package installs and model downloads for Whisper/WhisperX; this is expected for ASR but the dependency versions and provenance are not locked by the artifact.
pip install openai-whisper ... pip install whisperx
Use a virtual environment, install from official package sources, and pin/review versions if you need reproducible or high-trust deployments.
A Hugging Face token may grant account/model access if leaked.
Optional speaker diarization uses a Hugging Face token. This is purpose-aligned and not printed by the script, but it is credential handling and can be exposed if passed on the command line.
parser.add_argument("--hf_token", default=None, help="HuggingFace Token..."); hf_token = args.hf_token or os.environ.get("HF_TOKEN", None)Prefer `HF_TOKEN` in a local environment variable over a command-line argument, use least-privileged tokens, and revoke tokens if exposed.
Private recordings or terminal-session content could leave the local machine if cloud ASR is selected.
The skill permits cloud ASR with a user-specified API, which may transmit audio/video content externally; the artifact discloses this and warns about privacy.
云端 ASR:若用户明确要求或本地不可用,使用用户指定的 API;须注意隐私与合规。
Use local transcription for sensitive material, and only use cloud ASR providers you trust and have permission to share the content with.