audio-transcribe-summarize 安全扫描报告 — 可信 | ClawSafe

5 /100

audio-transcribe-summarize

Transcribe audio/video files to text and generate structured summaries using SenseAudio ASR API

Legitimate audio transcription skill with all capabilities properly declared in documentation. No malicious behavior detected.

技能名称audio-transcribe-summarize

分析耗时34.1s

引擎pi

✓

可以安装

This skill is safe to use. No security concerns identified.

安全发现 1 项

严重性	安全发现	位置
低危	requests library version not pinned 供应链 The transcribe.py script imports requests but does not specify a version constraint. This could lead to unexpected behavior if a new major version with breaking changes is installed. `import requests` → Consider pinning requests version (e.g., requests>=2.28.0) or using a requirements.txt file.	`scripts/transcribe.py:29`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ,WRITE`	`READ,WRITE`	✓ 一致	Reads audio files and writes transcript outputs
网络访问	`READ`	`READ`	✓ 一致	POSTs to api.senseaudio.cn for transcription
命令执行	`WRITE`	`WRITE`	✓ 一致	subprocess.run for ffmpeg/ffprobe on lines 84-91, 108-113
环境变量	`READ`	`READ`	✓ 一致	get_api_key() reads SENSEAUDIO_API_KEY on line 63
技能调用	`NONE`	`NONE`	—	No skill invocation found
剪贴板	`NONE`	`NONE`	—	No clipboard access found
浏览器	`NONE`	`NONE`	—	No browser access found
数据库	`NONE`	`NONE`	—	No database access found

3 项发现

🔗

中危外部 URL 外部 URL

https://senseaudio.cn/platform/api-key

SKILL.md:14

🔗

中危外部 URL 外部 URL

https://ffmpeg.org/download.html

SKILL.md:16

🔗

中危外部 URL 外部 URL

https://api.senseaudio.cn/v1/audio/transcriptions

api-reference.md:6

3 文件 · 17.1 KB · 523 行

Python 1f · 296L Markdown 2f · 227L

├─ ▾ 📁 scripts

│ └─ 🐍 transcribe.py Python 296L · 10.1 KB

├─ 📝 api-reference.md Markdown 109L · 3.4 KB

└─ 📝 SKILL.md Markdown 118L · 3.6 KB

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Version not pinned, minor risk
`ffmpeg`	`system`	system	否	External binary, declared in SKILL.md

✓ All functionality fully declared in SKILL.md with clear documentation

✓ Network calls go only to declared API endpoint (api.senseaudio.cn)

✓ Shell execution limited to ffmpeg/ffprobe for legitimate audio processing

✓ API key usage is scoped to authentication with the declared service only

✓ No credential harvesting beyond legitimate API authentication

✓ No obfuscation, base64 encoding, or anti-analysis techniques

✓ No data exfiltration beyond intended API transcription service

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)

✓ Clean, readable code with proper error handling