Scan Report
5 /100
audio-analyzer
All-in-one audio analysis: transcribe, identify speakers by voiceprint, auto-detect scene (meeting/interview/training/talk), generate structured notes
Legitimate audio transcription and speaker identification skill. All shell commands (whisper, ffmpeg) are declared and used as documented. API keys are accessed only for their stated purpose (cloud ASR calls). No credential harvesting, data exfiltration, obfuscation, or hidden functionality detected.
Safe to install
Skill is safe to use. No action required.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | npm dependencies not exact-pinned Supply Chain | scripts/package.json:11 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | WRITE | ✓ Aligned | analyze.js: reads audioPath; voiceprint.py: read/write voice-db.json |
| Network | READ | READ | ✓ Aligned | analyze.js: AssemblyAI, OpenRouter, Gemini API calls; references/scenes/rowing.m… |
| Shell | WRITE | WRITE | ✓ Aligned | analyze.js: execSync('whisper ...'); voiceprint.py: subprocess.run(['ffmpeg' ...… |
| Environment | READ | READ | ✓ Aligned | analyze.js: process.env.ASSEMBLYAI_API_KEY etc.; used only for ASR API calls |
| Skill Invoke | NONE | NONE | — | No skill invocation found |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser access |
| Database | NONE | NONE | — | No external database access; local JSON files only |
4 findings
Medium External URL 外部 URL
https://api.open-meteo.com/v1/forecast?latitude=31.143&longitude=121.657&hourly=temperature_2m references/scenes/rowing.md:10 Medium External URL 外部 URL
https://openrouter.ai/api/v1 scripts/analyze.js:12 Medium External URL 外部 URL
https://dotenvx.com scripts/package-lock.json:120 Medium External URL 外部 URL
https://paypal.me/jimmywarting scripts/package-lock.json:380 File Tree
11 files · 59.7 KB · 1823 lines JSON 2f · 512L
Markdown 7f · 487L
Python 1f · 426L
JavaScript 1f · 398L
├─
▾
references
│ ├─
▾
scenes
│ │ ├─
general.md
Markdown
│ │ ├─
interview.md
Markdown
│ │ ├─
meeting.md
Markdown
│ │ ├─
rowing.md
Markdown
│ │ └─
talk.md
Markdown
│ └─
voice-profiles.md
Markdown
├─
▾
scripts
│ ├─
analyze.js
JavaScript
│ ├─
package-lock.json
JSON
│ ├─
package.json
JSON
│ └─
voiceprint.py
Python
└─
SKILL.md
Markdown
Dependencies 6 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
assemblyai | 4.26.1 | npm | No | Resolved from ^4.8.0 |
dotenv | 16.6.1 | npm | No | Resolved from ^16.4.0 |
openai | 4.104.0 | npm | No | Resolved from ^4.70.0 |
numpy | unpinned | pip (optional) | No | Optional Python dep for voiceprint.py, not pinned in code |
librosa | unpinned | pip (optional) | No | Optional Python dep for voiceprint.py, not pinned in code |
onnxruntime | unpinned | pip (optional) | No | Optional Python dep for voiceprint.py, not pinned in code |
Security Positives
✓ No base64-encoded execution, eval(), or obfuscation detected
✓ All shell commands (whisper, ffmpeg) are declared in SKILL.md and match actual usage
✓ API keys are read from environment and used only for legitimate ASR API calls
✓ Voice embeddings are stored locally in JSON, never sent externally
✓ No credential harvesting beyond what is necessary for ASR functionality
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)
✓ No data exfiltration or C2 communication
✓ No reverse shell, RCE, or arbitrary code execution
✓ Code is clean and readable with no hidden instructions
✓ External URLs (Open-Meteo, OpenRouter, AssemblyAI) are documented and expected for audio transcription
✓ package-lock.json provides reproducible dependency resolution