中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:16 hr ago Rescan
5 /100
senseaudio-game-npc-director
Build ASR-driven, relation-aware NPC voice lines and events for games and interactive worlds
This is a legitimate game NPC voice director skill that orchestrates ASR transcription, NPC dialogue generation, and TTS synthesis using AudioClaw services and Feishu for audio delivery. All observed functionality matches the documented behavior with no malicious indicators.
Skill Namesenseaudio-game-npc-director
Duration45.5s
Enginepi
Safe to install
This skill is safe for use. Monitor the dependency on external AudioClaw platform paths for credential bootstrapping.

Findings 2 items

Severity Finding Location
Low
Dynamic shared code bootstrap Supply Chain
_bootstrap_shared_senseaudio_env() traverses parent directories to locate shared code (_shared/senseaudio_env.py). This introduces a non-deterministic loading pattern.
for parent in current.parents: candidate = parent / "_shared" / "senseaudio_env.py"
→ Use an absolute path or pinned dependency for shared modules rather than parent traversal.
 scripts/senseaudio_asr.py:18
Low
API key bootstrap with credential replacement Sensitive Access
The bootstrap replaces v2.public tokens with sk-... credentials from ~/.audioclaw/workspace/state/senseaudio_credentials.json. While documented, this involves reading credentials from disk.
The shared bootstrap replaces it with the real sk-... value from ~/.audioclaw/workspace/state/senseaudio_credentials.json
→ Ensure credential file has appropriate file permissions (600).
 SKILL.md:85
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md line 52-53: 'runs ASR on player audio'
Network READ READ ✓ Aligned SKILL.md line 54: 'calls AudioClaw ASR' and Feishu integration
Shell NONE WRITE ✓ Aligned subprocess usage in run_player_voice_npc_pipeline.py for script orchestration
Environment READ READ ✓ Aligned SENSEAUDIO_API_KEY lookup declared in SKILL.md line 82-86
5 findings
🔗
Medium External URL 外部 URL
https://api.senseaudio.cn/v1/audio/transcriptions
references/asr_player_loop.md:8
🔗
Medium External URL 外部 URL
https://platform.senseaudio.cn/api
references/asr_player_loop.md:13
🔗
Medium External URL 外部 URL
https://api.senseaudio.cn/v1/t2a_v2
scripts/batch_tts_scene.py:31
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=chat_id
scripts/send_npc_scene_to_feishu.py:119
🔗
Medium External URL 外部 URL
https://platform.senseaudio.cn/api/audio/transcriptions
scripts/senseaudio_asr.py:35

File Tree

10 files · 51.8 KB · 1428 lines
Python 6f · 1141L Markdown 3f · 283L YAML 1f · 4L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 4L · 719 B
├─ 📁 references
│ ├─ 📝 asr_player_loop.md Markdown 33L · 1.4 KB
│ └─ 📝 npc_voice_design.md Markdown 64L · 1.2 KB
├─ 📁 scripts
│ ├─ 🐍 batch_tts_scene.py Python 160L · 5.8 KB
│ ├─ 🐍 build_npc_reply_from_player.py Python 139L · 5.5 KB
│ ├─ 🐍 build_npc_scene_manifest.py Python 137L · 4.4 KB
│ ├─ 🐍 run_player_voice_npc_pipeline.py Python 218L · 7.4 KB
│ ├─ 🐍 send_npc_scene_to_feishu.py Python 216L · 8.2 KB
│ └─ 🐍 senseaudio_asr.py Python 271L · 9.8 KB
└─ 📝 SKILL.md Markdown 186L · 7.3 KB

Dependencies 3 items

PackageVersionSourceKnown VulnsNotes
urllib.request stdlib Python No Standard library only
subprocess stdlib Python No Standard library only
json stdlib Python No Standard library only

Security Positives

✓ All scripts have docstrings matching their actual functionality
✓ Network calls go only to documented external services (AudioClaw ASR/TTS, Feishu API)
✓ No base64-encoded payloads or obfuscation detected
✓ No credential exfiltration or data theft patterns
✓ Subprocess usage is limited to legitimate script orchestration with environment inheritance
✓ API keys accessed only through documented environment variables (SENSEAUDIO_API_KEY, SENSEAUDIO_PLATFORM_TOKEN)
✓ No reverse shell, C2 communication, or suspicious network patterns
✓ FFmpeg transcoding is standard audio format conversion for Feishu compatibility
✓ No unauthorized sensitive file access (~/.ssh, ~/.aws, .env files)