火一五 ASR 转写与纪要
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: huo15-openclaw-asr Version: 1.0.0 The skill bundle provides legitimate audio/video transcription and terminal log parsing capabilities using Whisper, WhisperX, and ffmpeg. The included scripts (transcode_mp3.sh, strip_ansi.py, and transcribe_with_diarization.py) are functional utilities aligned with the stated purpose of converting media to text and generating meeting minutes. While the skill involves executing shell commands and installing Python dependencies, there is no evidence of malicious intent, data exfiltration, or unauthorized persistence; the use of HuggingFace tokens and local file saving to the Downloads directory is transparently documented for the user.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, a chosen output file could be overwritten during conversion.
The helper runs a local ffmpeg command and overwrites the chosen output path with `-y`; this is central to media conversion but is still local command/file-write authority.
ffmpeg -y -i "$1" -vn -acodec libmp3lame -q:a 2 "$2"
Run it only on files you intend to process and choose a new output path or back up important files first.
Installing these packages may download large dependencies and model files from external sources.
The skill directs unpinned third-party package installs and model downloads for Whisper/WhisperX; this is expected for ASR but the dependency versions and provenance are not locked by the artifact.
pip install openai-whisper ... pip install whisperx
Use a virtual environment, install from official package sources, and pin/review versions if you need reproducible or high-trust deployments.
A Hugging Face token may grant account/model access if leaked.
Optional speaker diarization uses a Hugging Face token. This is purpose-aligned and not printed by the script, but it is credential handling and can be exposed if passed on the command line.
parser.add_argument("--hf_token", default=None, help="HuggingFace Token..."); hf_token = args.hf_token or os.environ.get("HF_TOKEN", None)Prefer `HF_TOKEN` in a local environment variable over a command-line argument, use least-privileged tokens, and revoke tokens if exposed.
Private recordings or terminal-session content could leave the local machine if cloud ASR is selected.
The skill permits cloud ASR with a user-specified API, which may transmit audio/video content externally; the artifact discloses this and warns about privacy.
云端 ASR:若用户明确要求或本地不可用,使用用户指定的 API;须注意隐私与合规。
Use local transcription for sensitive material, and only use cloud ASR providers you trust and have permission to share the content with.