funasr-nano-transcribe 安全扫描报告 — 可信 | ClawSafe

5 /100

funasr-nano-transcribe

Fun-ASR-Nano-2512 中文语音识别技能

Legitimate speech-to-text skill using Fun-ASR-Nano-2512 model with well-documented FastAPI service and CLI tools. No malicious behavior detected.

技能名称funasr-nano-transcribe

分析耗时39.4s

引擎pi

✓

可以安装

Skill is safe to use. Consider pinning dependency versions in requirements.txt for reproducible builds.

安全发现 1 项

严重性	安全发现	位置
低危	Dependencies without version upper bounds 供应链 requirements.txt specifies minimum versions (>=) without upper bounds, allowing potentially breaking changes to be installed. `funasr>=1.0.0 modelscope>=1.10.0 ...` → Consider adding version upper bounds or using pip-compile for reproducible builds: funasr>=1.0.0,<2.0.0	`requirements.txt:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md declares file writes for model/output; implemented in scripts/download_…
网络访问	`READ`	`READ`	✓ 一致	ModelScope downloads declared in SKILL.md; implemented in scripts/download_model…
命令执行	`WRITE`	`WRITE`	✓ 一致	subprocess used for venv activation and server startup; documented in SKILL.md
环境变量	`NONE`	`NONE`	—	No environment variable access detected

3 项发现

🔗

中危外部 URL 外部 URL

https://download.pytorch.org/whl/cpu

SKILL.md:51

🔗

中危外部 URL 外部 URL

http://127.0.0.1:11890

scripts/api_client.py:81

🔗

中危外部 URL 外部 URL

http://127.0.0.1:11890/docs

scripts/api_server.py:239

目录结构

17 文件 · 100.0 KB · 3201 行

Python 7f · 1893L Markdown 4f · 1063L Shell 5f · 221L Text 1f · 24L

├─ ▾ 📁 references

│ ├─ 📝 model_info.md Markdown 130L · 3.5 KB

│ └─ 📝 persistent_usage.md Markdown 154L · 3.3 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 activate.sh Shell 24L · 644 B

│ ├─ 🐍 api_client.py Python 138L · 4.4 KB

│ ├─ 🐍 api_server.py Python 260L · 8.1 KB

│ ├─ 🐍 batch_transcribe.py Python 180L · 5.7 KB

│ ├─ 🐍 download_model.py Python 337L · 10.2 KB

│ ├─ 🐍 FunASRNano.py Python 705L · 28.7 KB

│ ├─ 🐍 FunAsrTranscriber.py Python 176L · 6.0 KB

│ ├─ 🔧 setup_venv.sh Shell 90L · 2.2 KB

│ ├─ 🐍 transcribe.py Python 97L · 2.6 KB

│ └─ 🔧 verify_env.sh Shell 53L · 1.4 KB

├─ 📝 QUICKSTART.md Markdown 232L · 7.1 KB

├─ 📄 requirements.txt Text 24L · 326 B

├─ 📝 SKILL.md Markdown 547L · 14.7 KB

├─ 🔧 start_server.sh Shell 19L · 480 B

└─ 🔧 stop_server.sh Shell 35L · 883 B

依赖分析 4 项

包名	版本	来源	已知漏洞	备注
`funasr`	`>=1.0.0`	pip	否	Version not pinned, no upper bound
`modelscope`	`>=1.10.0`	pip	否	Version not pinned, no upper bound
`torch`	`>=2.0.0`	pip	否	Version not pinned, no upper bound
`fastapi`	`>=0.100.0`	pip	否	Version not pinned, no upper bound

安全亮点

✓ No credential harvesting or environment variable iteration for secrets

✓ No base64-encoded execution or obfuscation detected

✓ No reverse shell, C2 communication, or data exfiltration

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No hidden functionality - all scripts documented in SKILL.md

✓ FastAPI service only binds to 127.0.0.1 (localhost)

✓ Subprocess usage is documented and reasonable for service management

✓ Uses standard temp file patterns with proper cleanup

✓ No curl|bash or wget|sh remote script execution