senseaudio-game-npc-director 安全扫描报告 — 可信 | ClawSafe

5 /100

senseaudio-game-npc-director

Build ASR-driven, relation-aware NPC voice lines and events for games and interactive worlds

This is a legitimate game NPC voice director skill that orchestrates ASR transcription, NPC dialogue generation, and TTS synthesis using AudioClaw services and Feishu for audio delivery. All observed functionality matches the documented behavior with no malicious indicators.

技能名称senseaudio-game-npc-director

分析耗时45.5s

引擎pi

✓

可以安装

This skill is safe for use. Monitor the dependency on external AudioClaw platform paths for credential bootstrapping.

安全发现 2 项

严重性	安全发现	位置
低危	Dynamic shared code bootstrap 供应链 _bootstrap_shared_senseaudio_env() traverses parent directories to locate shared code (_shared/senseaudio_env.py). This introduces a non-deterministic loading pattern. `for parent in current.parents: candidate = parent / "_shared" / "senseaudio_env.py"` → Use an absolute path or pinned dependency for shared modules rather than parent traversal.	`scripts/senseaudio_asr.py:18`
低危	API key bootstrap with credential replacement 敏感访问 The bootstrap replaces v2.public tokens with sk-... credentials from ~/.audioclaw/workspace/state/senseaudio_credentials.json. While documented, this involves reading credentials from disk. `The shared bootstrap replaces it with the real sk-... value from ~/.audioclaw/workspace/state/senseaudio_credentials.json` → Ensure credential file has appropriate file permissions (600).	`SKILL.md:85`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md line 52-53: 'runs ASR on player audio'
网络访问	`READ`	`READ`	✓ 一致	SKILL.md line 54: 'calls AudioClaw ASR' and Feishu integration
命令执行	`NONE`	`WRITE`	✓ 一致	subprocess usage in run_player_voice_npc_pipeline.py for script orchestration
环境变量	`READ`	`READ`	✓ 一致	SENSEAUDIO_API_KEY lookup declared in SKILL.md line 82-86

5 项发现

🔗

中危外部 URL 外部 URL

https://api.senseaudio.cn/v1/audio/transcriptions

references/asr_player_loop.md:8

🔗

中危外部 URL 外部 URL

https://platform.senseaudio.cn/api

references/asr_player_loop.md:13

🔗

中危外部 URL 外部 URL

https://api.senseaudio.cn/v1/t2a_v2

scripts/batch_tts_scene.py:31

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=chat_id

scripts/send_npc_scene_to_feishu.py:119

🔗

中危外部 URL 外部 URL

https://platform.senseaudio.cn/api/audio/transcriptions

scripts/senseaudio_asr.py:35

目录结构

10 文件 · 51.8 KB · 1428 行

Python 6f · 1141L Markdown 3f · 283L YAML 1f · 4L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 4L · 719 B

├─ ▾ 📁 references

│ ├─ 📝 asr_player_loop.md Markdown 33L · 1.4 KB

│ └─ 📝 npc_voice_design.md Markdown 64L · 1.2 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 batch_tts_scene.py Python 160L · 5.8 KB

│ ├─ 🐍 build_npc_reply_from_player.py Python 139L · 5.5 KB

│ ├─ 🐍 build_npc_scene_manifest.py Python 137L · 4.4 KB

│ ├─ 🐍 run_player_voice_npc_pipeline.py Python 218L · 7.4 KB

│ ├─ 🐍 send_npc_scene_to_feishu.py Python 216L · 8.2 KB

│ └─ 🐍 senseaudio_asr.py Python 271L · 9.8 KB

└─ 📝 SKILL.md Markdown 186L · 7.3 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`urllib.request`	`stdlib`	Python	否	Standard library only
`subprocess`	`stdlib`	Python	否	Standard library only
`json`	`stdlib`	Python	否	Standard library only

安全亮点

✓ All scripts have docstrings matching their actual functionality

✓ Network calls go only to documented external services (AudioClaw ASR/TTS, Feishu API)

✓ No base64-encoded payloads or obfuscation detected

✓ No credential exfiltration or data theft patterns

✓ Subprocess usage is limited to legitimate script orchestration with environment inheritance

✓ API keys accessed only through documented environment variables (SENSEAUDIO_API_KEY, SENSEAUDIO_PLATFORM_TOKEN)

✓ No reverse shell, C2 communication, or suspicious network patterns

✓ FFmpeg transcoding is standard audio format conversion for Feishu compatibility

✓ No unauthorized sensitive file access (~/.ssh, ~/.aws, .env files)