Scan Report
5 /100
meeting-summary
会议录音 → 结构化纪要。支持 Step ASR 转写、pyannote 说话人分割、声纹实名匹配、LLM 纪要生成
Legitimate meeting transcription and summarization skill with properly declared subprocess execution, standard credential handling, and no malicious behavior observed.
Safe to install
No action needed. The skill is safe for deployment.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | Writes cache to ~/.openclaw/workspace/, voiceprints to memory/, temp WAV files |
| Network | READ | READ | ✓ Aligned | Only POSTs to api.stepfun.com (ASR, LLM), GETs from HuggingFace Hub for pyannote… |
| Shell | WRITE | WRITE | ✓ Aligned | subprocess.run() for ffmpeg, transcribe.py, pyannote-diarize.py; declared in SKI… |
| Environment | READ | READ | ✓ Aligned | Reads STEPFUN_API_KEY, HF_TOKEN, MEETING_SUMMARY_* vars; sent only to intended s… |
| Skill Invoke | NONE | NONE | — | No skill_invoke calls observed |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser access |
| Database | NONE | NONE | — | No database access |
14 findings
Medium External URL 外部 URL
https://img.shields.io/badge/Built%20for-OpenClaw-blue README.md:8 Medium External URL 外部 URL
https://img.shields.io/badge/License-MIT-green.svg README.md:9 Medium External URL 外部 URL
https://img.shields.io/badge/version-2.3.0-orange README.md:10 Medium External URL 外部 URL
https://platform.stepfun.com/interface-key README.md:81 Medium External URL 外部 URL
https://huggingface.co/ README.md:90 Medium External URL 外部 URL
https://openclawmp.cc/asset/s-a7ea7f3e07f1ffda README.md:475 Medium External URL 外部 URL
https://api.stepfun.com/v1/chat/completions SKILL.md:172 Medium External URL 外部 URL
https://evermeet.cx/ffmpeg/ references/setup-guide.md:21 Medium External URL 外部 URL
https://platform.stepfun.com/interface-key** references/setup-guide.md:66 Medium External URL 外部 URL
https://huggingface.co/pyannote/speaker-diarization-community-1** references/setup-guide.md:114 Medium External URL 外部 URL
https://huggingface.co/pyannote/speaker-diarization-community-1 references/setup-guide.md:141 Medium External URL 外部 URL
https://hf.co/pyannote/speaker-diarization-community-1 scripts/pyannote-diarize.py:59 Medium External URL 外部 URL
https://api.stepfun.com/v1/audio/transcriptions scripts/transcribe.py:19 Medium External URL 外部 URL
https://api.stepfun.com/v1/audio/asr/sse scripts/transcribe.py:20 File Tree
7 files · 118.7 KB · 3469 lines Python 4f · 2405L
Markdown 3f · 1064L
├─
▾
references
│ └─
setup-guide.md
Markdown
├─
▾
scripts
│ ├─
meeting-summarize.py
Python
│ ├─
pyannote-diarize.py
Python
│ ├─
transcribe.py
Python
│ └─
voiceprint-manager.py
Python
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 4 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
numpy | implied | import | No | No requirements.txt; versions not explicitly pinned in project |
soundfile | implied | import | No | No requirements.txt; versions not explicitly pinned in project |
onnxruntime | implied | import | No | No requirements.txt; versions not explicitly pinned in project |
urllib | stdlib | stdlib | No | stdlib for API calls |
Security Positives
✓ All subprocess execution is explicitly documented in SKILL.md with exact commands and arguments
✓ API credentials are read locally and sent only to the intended StepFun API endpoint
✓ HuggingFace token is read from ~/.huggingface_token and passed only to HuggingFace Hub
✓ No base64-encoded payloads, eval(), or dynamic code execution
✓ No network exfiltration or C2 communication
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
✓ No obfuscation techniques (no base64 pipelines, no atob(), no obfuscated strings)
✓ No curl|bash or wget|sh remote script execution
✓ No hidden HTML comments or steganographic payloads
✓ Voiceprint embeddings stored locally in JSON format, not exfiltrated
✓ Cache files use SHA256 fingerprints of audio paths, not content hashes of user data
✓ Dependency versions are implied by the codebase structure; no requirements.txt/pip install without pinning observed
✓ Temporary files are properly cleaned up with safe_unlink() in finally blocks