扫描报告
5 /100
meeting-summary
会议录音 → 结构化纪要。支持 Step ASR 转写、pyannote 说话人分割、声纹实名匹配、LLM 纪要生成
Legitimate meeting transcription and summarization skill with properly declared subprocess execution, standard credential handling, and no malicious behavior observed.
可以安装
No action needed. The skill is safe for deployment.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | WRITE | WRITE | ✓ 一致 | Writes cache to ~/.openclaw/workspace/, voiceprints to memory/, temp WAV files |
| 网络访问 | READ | READ | ✓ 一致 | Only POSTs to api.stepfun.com (ASR, LLM), GETs from HuggingFace Hub for pyannote… |
| 命令执行 | WRITE | WRITE | ✓ 一致 | subprocess.run() for ffmpeg, transcribe.py, pyannote-diarize.py; declared in SKI… |
| 环境变量 | READ | READ | ✓ 一致 | Reads STEPFUN_API_KEY, HF_TOKEN, MEETING_SUMMARY_* vars; sent only to intended s… |
| 技能调用 | NONE | NONE | — | No skill_invoke calls observed |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | No browser access |
| 数据库 | NONE | NONE | — | No database access |
14 项发现
中危 外部 URL 外部 URL
https://img.shields.io/badge/Built%20for-OpenClaw-blue README.md:8 中危 外部 URL 外部 URL
https://img.shields.io/badge/License-MIT-green.svg README.md:9 中危 外部 URL 外部 URL
https://img.shields.io/badge/version-2.3.0-orange README.md:10 中危 外部 URL 外部 URL
https://platform.stepfun.com/interface-key README.md:81 中危 外部 URL 外部 URL
https://huggingface.co/ README.md:90 中危 外部 URL 外部 URL
https://openclawmp.cc/asset/s-a7ea7f3e07f1ffda README.md:475 中危 外部 URL 外部 URL
https://api.stepfun.com/v1/chat/completions SKILL.md:172 中危 外部 URL 外部 URL
https://evermeet.cx/ffmpeg/ references/setup-guide.md:21 中危 外部 URL 外部 URL
https://platform.stepfun.com/interface-key** references/setup-guide.md:66 中危 外部 URL 外部 URL
https://huggingface.co/pyannote/speaker-diarization-community-1** references/setup-guide.md:114 中危 外部 URL 外部 URL
https://huggingface.co/pyannote/speaker-diarization-community-1 references/setup-guide.md:141 中危 外部 URL 外部 URL
https://hf.co/pyannote/speaker-diarization-community-1 scripts/pyannote-diarize.py:59 中危 外部 URL 外部 URL
https://api.stepfun.com/v1/audio/transcriptions scripts/transcribe.py:19 中危 外部 URL 外部 URL
https://api.stepfun.com/v1/audio/asr/sse scripts/transcribe.py:20 目录结构
7 文件 · 118.7 KB · 3469 行 Python 4f · 2405L
Markdown 3f · 1064L
├─
▾
references
│ └─
setup-guide.md
Markdown
├─
▾
scripts
│ ├─
meeting-summarize.py
Python
│ ├─
pyannote-diarize.py
Python
│ ├─
transcribe.py
Python
│ └─
voiceprint-manager.py
Python
├─
README.md
Markdown
└─
SKILL.md
Markdown
依赖分析 4 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
numpy | implied | import | 否 | No requirements.txt; versions not explicitly pinned in project |
soundfile | implied | import | 否 | No requirements.txt; versions not explicitly pinned in project |
onnxruntime | implied | import | 否 | No requirements.txt; versions not explicitly pinned in project |
urllib | stdlib | stdlib | 否 | stdlib for API calls |
安全亮点
✓ All subprocess execution is explicitly documented in SKILL.md with exact commands and arguments
✓ API credentials are read locally and sent only to the intended StepFun API endpoint
✓ HuggingFace token is read from ~/.huggingface_token and passed only to HuggingFace Hub
✓ No base64-encoded payloads, eval(), or dynamic code execution
✓ No network exfiltration or C2 communication
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
✓ No obfuscation techniques (no base64 pipelines, no atob(), no obfuscated strings)
✓ No curl|bash or wget|sh remote script execution
✓ No hidden HTML comments or steganographic payloads
✓ Voiceprint embeddings stored locally in JSON format, not exfiltrated
✓ Cache files use SHA256 fingerprints of audio paths, not content hashes of user data
✓ Dependency versions are implied by the codebase structure; no requirements.txt/pip install without pinning observed
✓ Temporary files are properly cleaned up with safe_unlink() in finally blocks