telegram-whisper-transcribe 安全扫描报告 — 可信 | ClawSafe

5 /100

telegram-whisper-transcribe

Standalone Telegram bot for voice message transcription via OpenAI Whisper API

Legitimate Telegram transcription bot using OpenAI Whisper API with transparent, documented behavior and no hidden or malicious functionality.

技能名称telegram-whisper-transcribe

分析耗时30.2s

引擎pi

✓

可以安装

Approve for use. Consider pinning dependency versions in install.sh for supply-chain hygiene.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned Python dependencies 供应链 install.sh installs python-telegram-bot and openai without version constraints, accepting any available version. `$BOT_DIR/venv/bin/pip install -q python-telegram-bot openai` → Pin versions: python-telegram-bot>=20.0 openai>=1.0 to prevent unexpected supply-chain updates	`scripts/install.sh:24`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`WRITE`	✓ 一致	install.sh:23-25 creates bot.py, venv, .env in $HOME
网络访问	`NONE`	`READ`	✓ 一致	bot.py:45-57 calls Telegram API and OpenAI Whisper API only
命令执行	`NONE`	`ADMIN`	✓ 一致	install.sh:44-48 uses systemctl for service management (declared in SKILL.md sys…
环境变量	`READ`		✓ 一致	bot.py:22-23 reads TELEGRAM_BOT_TOKEN and OPENAI_API_KEY (declared in env_vars)
技能调用	`NONE`	`NONE`	—	No cross-skill invocation detected
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser access
数据库	`NONE`	`NONE`	—	No database access

3 文件 · 7.5 KB · 261 行

Python 1f · 102L Markdown 1f · 100L Shell 1f · 59L

├─ ▾ 📁 scripts

│ ├─ 🐍 bot.py Python 102L · 3.2 KB

│ └─ 🔧 install.sh Shell 59L · 1.4 KB

└─ 📝 SKILL.md Markdown 100L · 2.9 KB

包名	版本	来源	已知漏洞	备注
`python-telegram-bot`	`*`	pip	否	Version not pinned — lowest risk given widely-used library
`openai`	`*`	pip	否	Version not pinned — lowest risk given official OpenAI SDK

✓ All network calls are to documented, legitimate endpoints (Telegram Bot API and OpenAI Whisper API)

✓ Credentials are stored with correct restrictive permissions (chmod 600 .env)

✓ No credential harvesting — API keys are used locally, never exfiltrated

✓ No subprocess, eval, base64, or obfuscation patterns detected

✓ No hidden HTML comments or embedded instructions

✓ Clean separation: bot.py is a straightforward single-responsibility transcription service

✓ Temp files are properly cleaned up after transcription

✓ Error handling present with user-friendly feedback

✓ SKILL.md accurately describes all behavior including systemd service setup

✓ install.sh has no curl|bash remote execution patterns