meeting-minutes-assistant Security Report — Trusted | ClawSafe

5 /100

meeting-minutes-assistant

会议录音转结构化纪要 (ASR → LLM总结 → 可选TTS)

The skill is a straightforward meeting minutes assistant with no hidden or malicious behavior—code performs exactly what documentation describes.

Skill Namemeeting-minutes-assistant

Duration34.2s

Enginepi

✓

Safe to install

No action needed. The skill can be safely deployed.

Findings 1 items

Severity	Finding	Location
Low	Dependencies not pinned to exact versions Supply Chain requirements.txt specifies openai>=1.30.0, requests>=2.31.0, python-dotenv>=1.0.0. While these are known legitimate packages, loose versioning allows a future compatible-but-malicious version to be installed on pip install. `openai>=1.30.0 requests>=2.31.0 python-dotenv>=1.0.0` → Pin to exact versions (e.g., openai==1.30.0) to ensure reproducible builds.	`requirements.txt:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	audio_file.open('rb') at scripts/run_meeting_minutes.py:75
Filesystem	`WRITE`	`WRITE`	✓ Aligned	OUTPUT_DIR.mkdir() and output_path.write_text() at lines 196, 218
Network	`READ`	`READ`	✓ Aligned	requests.post() to ASR/TTS URLs at lines 63, 69
Shell	`NONE`	`NONE`	—	No subprocess or os.system calls found
Environment	`NONE`	`READ`	✓ Aligned	Reads .env via python-dotenv; not declared in SKILL.md but benign

4 findings

🔗

Medium External URL 外部 URL

https://models.audiozen.cn/v1

SKILL.md:112

🔗

Medium External URL 外部 URL

https://api.senseaudio.cn

SKILL.md:113

🔗

Medium External URL 外部 URL

https://api.senseaudio.cn/v1/audio/transcriptions

scripts/run_meeting_minutes.py:63

🔗

Medium External URL 外部 URL

https://api.senseaudio.cn/v1/t2a_v2

scripts/run_meeting_minutes.py:69

File Tree

6 files · 15.0 KB · 506 lines

Python 1f · 313L Markdown 3f · 188L Text 1f · 3L YAML 1f · 2L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 2L · 51 B

├─ ▾ 📁 references

│ ├─ 📝 output_schema.md Markdown 29L · 845 B

│ └─ 📝 prompts.md Markdown 40L · 792 B

├─ ▾ 📁 scripts

│ └─ 🐍 run_meeting_minutes.py Python 313L · 10.2 KB

├─ 📄 requirements.txt Text 3L · 53 B

└─ 📝 SKILL.md Markdown 119L · 3.0 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`openai`	`>=1.30.0`	pip	No	Version not pinned; known legitimate package
`requests`	`>=2.31.0`	pip	No	Version not pinned; known legitimate package
`python-dotenv`	`>=1.0.0`	pip	No	Version not pinned; known legitimate package

Security Positives

✓ No subprocess, os.system, or shell execution found

✓ No credential harvesting or environment variable enumeration for theft

✓ No base64, eval, or code obfuscation

✓ All network calls target only declared API endpoints (SenseAudio, LLM backend)

✓ Code-to-doc alignment is high: every function maps to documented behavior

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env secrets exfiltration)

✓ No data exfiltration or C2 communication patterns

✓ File writes scoped to skill-local outputs/ directory only

Scan Report

Findings 1 items

File Tree

Dependencies 3 items

Security Positives