meeting-to-text 安全扫描报告 — 低风险 | ClawSafe

10 /100

meeting-to-text

Create a fully local speaker-separated .txt transcript from a meeting recording, meeting screen recording, speech audio, or local video/audio file

A legitimate local transcription tool that converts audio/video files to speaker-separated text transcripts using FFmpeg and local ASR models. All functionality is properly declared and verified.

技能名称meeting-to-text

分析耗时39.0s

引擎pi

✓

可以安装

This skill is safe to use. The subprocess execution of FFmpeg and ModelScope downloads are legitimate and necessary for media processing. No credential access or data exfiltration observed.

安全发现 2 项

严重性	安全发现	位置
低危	Undeclared network access for model caching 文档欺骗 The script downloads speaker models from ModelScope via snapshot_download at line 180. This is not explicitly declared in SKILL.md but is a legitimate function for model caching. `from modelscope.hub.snapshot_download import snapshot_download` → Consider adding 'ModelScope downloads' to the declared capabilities section for transparency, though this is standard practice for ML model management.	`scripts/meeting_to_text.py:180`
低危	Shell execution not explicitly declared in SKILL.md 文档欺骗 SKILL.md does not explicitly mention that FFmpeg is executed via subprocess. However, the runtime_paths.md references FFmpeg explicitly, and this is necessary functionality. `subprocess.run(command, capture_output=True, text=True, encoding='utf-8', errors='replace')` → SKILL.md already documents FFmpeg usage indirectly through runtime references. Consider adding explicit mention of FFmpeg subprocess execution for clarity.	`scripts/meeting_to_text.py:131`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md:22 - one local source file path
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md:23 - one output target path; scripts/meeting_to_text.py:line 100 writes…
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md:31 - subprocess to FFmpeg for media processing; scripts/meeting_to_text…
网络访问	`NONE`	`READ`	✓ 一致	scripts/meeting_to_text.py:line 180 - snapshot_download from ModelScope (model c…
环境变量	`NONE`	`READ`	✓ 一致	scripts/meeting_to_text.py:line 41 - os.getenv for path configuration, not crede…

目录结构

5 文件 · 35.0 KB · 978 行

Python 1f · 748L Markdown 3f · 188L JSON 1f · 42L

├─ ▾ 📁 evals

│ └─ 📋 evals.json JSON 42L · 2.2 KB

├─ ▾ 📁 references

│ ├─ 📝 runtime_paths.md Markdown 41L · 1.6 KB

│ └─ 📝 troubleshooting.md Markdown 57L · 1.2 KB

├─ ▾ 📁 scripts

│ └─ 🐍 meeting_to_text.py Python 748L · 26.3 KB

└─ 📝 SKILL.md Markdown 90L · 3.7 KB

依赖分析 7 项

包名	版本	来源	已知漏洞	备注
`funasr`	`*`	pip	否	ASR framework, version not pinned but standard dependency
`torch`	`*`	pip	否	PyTorch, version not pinned
`torchaudio`	`*`	pip	否	Audio processing, version not pinned
`numpy`	`*`	pip	否	Numerical computing, standard dependency
`scipy`	`*`	pip	否	Scientific computing, standard dependency
`sklearn`	`*`	pip	否	Scikit-learn for clustering, standard dependency
`modelscope`	`*`	pip	否	ModelScope SDK for speaker model downloads, version not pinned

安全亮点

✓ No credential harvesting or sensitive environment variable access

✓ No base64 encoding or code obfuscation detected

✓ No C2 communication or data exfiltration

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)

✓ All dependencies are legitimate ML/audio processing libraries

✓ Code structure is clean with proper error handling

✓ Temporary files are properly cleaned up with shutil.rmtree

✓ No reverse shell or remote execution payloads

✓ User inputs are properly validated with file existence and extension checks