audio-analyzer 安全扫描报告 — 可信 | ClawSafe

5 /100

audio-analyzer

All-in-one audio analysis: transcribe, identify speakers by voiceprint, auto-detect scene (meeting/interview/training/talk), generate structured notes

Legitimate audio transcription and speaker identification skill. All shell commands (whisper, ffmpeg) are declared and used as documented. API keys are accessed only for their stated purpose (cloud ASR calls). No credential harvesting, data exfiltration, obfuscation, or hidden functionality detected.

技能名称audio-analyzer

分析耗时47.0s

引擎pi

✓

可以安装

Skill is safe to use. No action required.

安全发现 1 项

严重性	安全发现	位置
低危	npm dependencies not exact-pinned 供应链 package.json uses caret version ranges (^4.8.0, ^16.4.0, ^4.70.0) instead of exact versions. However, package-lock.json locks to specific versions, mitigating this risk. `"assemblyai": "^4.8.0"` → Use exact pinned versions in package.json for reproducible builds: "assemblyai": "4.26.1"	`scripts/package.json:11`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`WRITE`	✓ 一致	analyze.js: reads audioPath; voiceprint.py: read/write voice-db.json
网络访问	`READ`	`READ`	✓ 一致	analyze.js: AssemblyAI, OpenRouter, Gemini API calls; references/scenes/rowing.m…
命令执行	`WRITE`	`WRITE`	✓ 一致	analyze.js: execSync('whisper ...'); voiceprint.py: subprocess.run(['ffmpeg' ...…
环境变量	`READ`	`READ`	✓ 一致	analyze.js: process.env.ASSEMBLYAI_API_KEY etc.; used only for ASR API calls
技能调用	`NONE`	`NONE`	—	No skill invocation found
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser access
数据库	`NONE`	`NONE`	—	No external database access; local JSON files only

4 项发现

🔗

中危外部 URL 外部 URL

https://api.open-meteo.com/v1/forecast?latitude=31.143&longitude=121.657&hourly=temperature_2m

references/scenes/rowing.md:10

🔗

中危外部 URL 外部 URL

https://openrouter.ai/api/v1

scripts/analyze.js:12

🔗

中危外部 URL 外部 URL

https://dotenvx.com

scripts/package-lock.json:120

🔗

中危外部 URL 外部 URL

https://paypal.me/jimmywarting

scripts/package-lock.json:380

目录结构

11 文件 · 59.7 KB · 1823 行

JSON 2f · 512L Markdown 7f · 487L Python 1f · 426L JavaScript 1f · 398L

├─ ▾ 📁 references

│ ├─ ▾ 📁 scenes

│ │ ├─ 📝 general.md Markdown 29L · 536 B

│ │ ├─ 📝 interview.md Markdown 36L · 885 B

│ │ ├─ 📝 meeting.md Markdown 40L · 905 B

│ │ ├─ 📝 rowing.md Markdown 40L · 1.3 KB

│ │ └─ 📝 talk.md Markdown 34L · 781 B

│ └─ 📝 voice-profiles.md Markdown 53L · 1.9 KB

├─ ▾ 📁 scripts

│ ├─ 📜 analyze.js JavaScript 398L · 13.0 KB

│ ├─ 📋 package-lock.json JSON 497L · 17.1 KB

│ ├─ 📋 package.json JSON 15L · 363 B

│ └─ 🐍 voiceprint.py Python 426L · 13.6 KB

└─ 📝 SKILL.md Markdown 255L · 9.4 KB

依赖分析 6 项

包名	版本	来源	已知漏洞	备注
`assemblyai`	`4.26.1`	npm	否	Resolved from ^4.8.0
`dotenv`	`16.6.1`	npm	否	Resolved from ^16.4.0
`openai`	`4.104.0`	npm	否	Resolved from ^4.70.0
`numpy`	`unpinned`	pip (optional)	否	Optional Python dep for voiceprint.py, not pinned in code
`librosa`	`unpinned`	pip (optional)	否	Optional Python dep for voiceprint.py, not pinned in code
`onnxruntime`	`unpinned`	pip (optional)	否	Optional Python dep for voiceprint.py, not pinned in code

安全亮点

✓ No base64-encoded execution, eval(), or obfuscation detected

✓ All shell commands (whisper, ffmpeg) are declared in SKILL.md and match actual usage

✓ API keys are read from environment and used only for legitimate ASR API calls

✓ Voice embeddings are stored locally in JSON, never sent externally

✓ No credential harvesting beyond what is necessary for ASR functionality

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)

✓ No data exfiltration or C2 communication

✓ No reverse shell, RCE, or arbitrary code execution

✓ Code is clean and readable with no hidden instructions

✓ External URLs (Open-Meteo, OpenRouter, AssemblyAI) are documented and expected for audio transcription

✓ package-lock.json provides reproducible dependency resolution