Scan Report
5 /100
senseaudio-voice-ab-lab
Generate multiple spoken ad variants from a typed or spoken brief, transcribe voice memos with AudioClaw ASR, and synthesize variants with the same AudioClaw voice for A/B testing.
AudioClaw Voice AB Lab is a legitimate commercial voice A/B testing skill that uses AudioClaw ASR and TTS APIs; no malicious behavior, credential theft, or undeclared capabilities were found.
Safe to install
No action needed. The skill is safe to deploy. Consider pinning SenseAudio API key dependencies for supply-chain hygiene.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Bootstrap parent-directory path traversal Priv Escalation | scripts/senseaudio_asr.py:14 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | All scripts read/write local files for manifests, audio output, and results — fu… |
| Network | READ | READ | ✓ Aligned | POSTs to AudioClaw ASR/TTS APIs and Feishu webhook — all declared in SKILL.md Re… |
| Shell | NONE | READ | ✓ Aligned | senseaudio_asr.py calls /usr/bin/afinfo via subprocess; send_ab_variants_to_feis… |
| Environment | READ | READ | ✓ Aligned | All scripts read SENSEAUDIO_API_KEY, SENSEAUDIO_PLATFORM_TOKEN from os.environ —… |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation found |
5 findings
Medium External URL 外部 URL
https://api.senseaudio.cn/v1/audio/transcriptions references/asr_brief_pipeline.md:8 Medium External URL 外部 URL
https://platform.senseaudio.cn/api references/asr_brief_pipeline.md:13 Medium External URL 外部 URL
https://api.senseaudio.cn/v1/t2a_v2 scripts/batch_tts_variants.py:31 Medium External URL 外部 URL
https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=chat_id scripts/send_ab_variants_to_feishu.py:119 Medium External URL 外部 URL
https://platform.senseaudio.cn/api/audio/transcriptions scripts/senseaudio_asr.py:35 File Tree
12 files · 60.5 KB · 1674 lines Python 8f · 1373L
Markdown 3f · 297L
YAML 1f · 4L
├─
▾
agents
│ └─
openai.yaml
YAML
├─
▾
references
│ ├─
asr_brief_pipeline.md
Markdown
│ └─
commercial_ab_patterns.md
Markdown
├─
▾
scripts
│ ├─
batch_tts_variants.py
Python
│ ├─
build_voice_ab_variants.py
Python
│ ├─
export_ab_review_csv.py
Python
│ ├─
extract_spoken_brief.py
Python
│ ├─
run_spoken_brief_pipeline.py
Python
│ ├─
run_typed_brief_pipeline.py
Python
│ ├─
send_ab_variants_to_feishu.py
Python
│ └─
senseaudio_asr.py
Python
└─
SKILL.md
Markdown
Dependencies 3 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
senseaudio_api_guard | unpinned | import | No | Imported from _shared; not in requirements.txt |
audioclaw_paths | unpinned | import | No | Imported from _shared; not in requirements.txt |
imageio-ffmpeg | unpinned | optional | No | Optional fallback for ffmpeg; no known vulnerabilities |
Security Positives
✓ SKILL.md is comprehensive and accurately describes all 8 scripts, their purposes, and API key dependencies
✓ No base64-encoded strings, eval(), or anti-analysis techniques found in any script
✓ No access to sensitive paths such as ~/.ssh, ~/.aws, .env, or /etc
✓ No credential exfiltration — API keys are only used as Bearer tokens for AudioClaw/Feishu API calls
✓ No curl|bash or wget|sh remote script execution
✓ No hidden HTML comments or prompt injection instructions
✓ Subprocess calls are limited to legitimate CLI tools (afinfo, ffmpeg) documented and necessary for audio processing
✓ All external URLs are documented, named AudioClaw and Feishu API endpoints — no direct IP exfiltration
✓ API key bootstrap from ~/.audioclaw/workspace/state/senseaudio_credentials.json is explicitly declared in SKILL.md
✓ The load_helper_module() function in send_ab_variants_to_feishu.py correctly scopes path traversal to a named skill directory