funasr-nano-transcribe Security Report — Trusted | ClawSafe

5 /100

funasr-nano-transcribe

Fun-ASR-Nano-2512 中文语音识别技能

Legitimate speech-to-text skill using Fun-ASR-Nano-2512 model with well-documented FastAPI service and CLI tools. No malicious behavior detected.

Skill Namefunasr-nano-transcribe

Duration39.4s

Enginepi

✓

Safe to install

Skill is safe to use. Consider pinning dependency versions in requirements.txt for reproducible builds.

Findings 1 items

Severity	Finding	Location
Low	Dependencies without version upper bounds Supply Chain requirements.txt specifies minimum versions (>=) without upper bounds, allowing potentially breaking changes to be installed. `funasr>=1.0.0 modelscope>=1.10.0 ...` → Consider adding version upper bounds or using pip-compile for reproducible builds: funasr>=1.0.0,<2.0.0	`requirements.txt:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares file writes for model/output; implemented in scripts/download_…
Network	`READ`	`READ`	✓ Aligned	ModelScope downloads declared in SKILL.md; implemented in scripts/download_model…
Shell	`WRITE`	`WRITE`	✓ Aligned	subprocess used for venv activation and server startup; documented in SKILL.md
Environment	`NONE`	`NONE`	—	No environment variable access detected

3 findings

🔗

Medium External URL 外部 URL

https://download.pytorch.org/whl/cpu

SKILL.md:51

🔗

Medium External URL 外部 URL

http://127.0.0.1:11890

scripts/api_client.py:81

🔗

Medium External URL 外部 URL

http://127.0.0.1:11890/docs

scripts/api_server.py:239

File Tree

17 files · 100.0 KB · 3201 lines

Python 7f · 1893L Markdown 4f · 1063L Shell 5f · 221L Text 1f · 24L

├─ ▾ 📁 references

│ ├─ 📝 model_info.md Markdown 130L · 3.5 KB

│ └─ 📝 persistent_usage.md Markdown 154L · 3.3 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 activate.sh Shell 24L · 644 B

│ ├─ 🐍 api_client.py Python 138L · 4.4 KB

│ ├─ 🐍 api_server.py Python 260L · 8.1 KB

│ ├─ 🐍 batch_transcribe.py Python 180L · 5.7 KB

│ ├─ 🐍 download_model.py Python 337L · 10.2 KB

│ ├─ 🐍 FunASRNano.py Python 705L · 28.7 KB

│ ├─ 🐍 FunAsrTranscriber.py Python 176L · 6.0 KB

│ ├─ 🔧 setup_venv.sh Shell 90L · 2.2 KB

│ ├─ 🐍 transcribe.py Python 97L · 2.6 KB

│ └─ 🔧 verify_env.sh Shell 53L · 1.4 KB

├─ 📝 QUICKSTART.md Markdown 232L · 7.1 KB

├─ 📄 requirements.txt Text 24L · 326 B

├─ 📝 SKILL.md Markdown 547L · 14.7 KB

├─ 🔧 start_server.sh Shell 19L · 480 B

└─ 🔧 stop_server.sh Shell 35L · 883 B

Dependencies 4 items

Package	Version	Source	Known Vulns	Notes
`funasr`	`>=1.0.0`	pip	No	Version not pinned, no upper bound
`modelscope`	`>=1.10.0`	pip	No	Version not pinned, no upper bound
`torch`	`>=2.0.0`	pip	No	Version not pinned, no upper bound
`fastapi`	`>=0.100.0`	pip	No	Version not pinned, no upper bound

Security Positives

✓ No credential harvesting or environment variable iteration for secrets

✓ No base64-encoded execution or obfuscation detected

✓ No reverse shell, C2 communication, or data exfiltration

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No hidden functionality - all scripts documented in SKILL.md

✓ FastAPI service only binds to 127.0.0.1 (localhost)

✓ Subprocess usage is documented and reasonable for service management

✓ Uses standard temp file patterns with proper cleanup

✓ No curl|bash or wget|sh remote script execution

Scan Report

Findings 1 items

File Tree

Dependencies 4 items

Security Positives