← Back to Skills Marketplace
656
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install salute-speech
Description
Transcribe audio files using Sber Salute Speech async API. Russian-first STT with support for ru-RU, en-US, kk-KZ, ky-KG, uz-UZ.
Usage Guidance
This skill appears to do what it says: it uploads a user-supplied audio file to Sber's Salute Speech service using the API key in SALUTE_AUTH_DATA and returns transcripts. Before installing, consider the following:
- Protect SALUTE_AUTH_DATA: treat it like a secret (client_id:client_secret or an authorization key). The script uses it to obtain tokens.
- Transport security: the client disables SSL verification (verify_ssl=False) and suppresses warnings. That makes network traffic (including tokens and audio uploads) susceptible to interception if you are on an untrusted network. If possible, verify the certificate chain and enable SSL checks.
- Logs and stdout: the script prints server responses and token info; logs may expose tokens or API responses—avoid running on shared machines or configure logging to avoid leaking secrets.
- Review the full source: although endpoints used are Sber domains, review the complete script (including truncated portion if any) before use to confirm there are no unexpected remote endpoints or file operations.
- For sensitive audio, consider running the client in a controlled environment or using service-provided enterprise options that meet your security requirements.
If you are comfortable with the SSL tradeoff (or can change the code to enable verification), the skill is coherent and appropriate for its stated purpose.
Capability Analysis
Type: OpenClaw Skill
Name: salute-speech
Version: 1.0.1
The skill bundle is classified as suspicious due to multiple critical vulnerabilities. The `salute_transcribe.py` script explicitly disables SSL/TLS verification (`verify_ssl=False`) for all network communications, as also noted in `SKILL.md`, creating a severe Man-in-the-Middle (MITM) risk. Furthermore, the script's `upload_file` method reads and uploads the content of any file specified by the `--file` argument to a third-party API, enabling potential data exfiltration if an agent is prompted to provide a sensitive file path. Lastly, the script allows writing arbitrary files to user-controlled directories via the `--output_dir` argument, which could be exploited through prompt injection to achieve persistence or other malicious actions on the host system.
Capability Assessment
Purpose & Capability
Name/description align with required pieces: the skill needs a Salute API credential (SALUTE_AUTH_DATA) and the 'uv' runner to execute the included Python client. Required binaries and env var map to the declared purpose.
Instruction Scope
Runtime instructions are narrowly scoped to reading an API credential, uploading a specified audio file, polling for results, and writing JSON/text outputs. However, the script and SKILL.md explicitly disable SSL verification by default (verify_ssl=False) and suppress warnings—this weakens transport security and risks man-in-the-middle exposure of credentials and audio. The script also prints server responses and token expiry, which could surface sensitive values in logs. Other than that, instructions do not request unrelated files or credentials.
Install Mechanism
No install spec — the skill is shipped as source plus SKILL.md and expects an existing 'uv' runner and the 'requests' library (SKILL.md shows how to run with --with requests). No remote downloads or archive extraction are used.
Credentials
Only one required environment variable (SALUTE_AUTH_DATA) is declared and used as the API credential. That is proportionate for a cloud STT integration. No unrelated secrets or config paths are requested.
Persistence & Privilege
The skill does not request permanent inclusion (always:false) and does not modify other skills or system-wide settings. Its privileges are limited to using the provided credential and file paths supplied at runtime.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install salute-speech - After installation, invoke the skill by name or use
/salute-speech - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Update security issue
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is salute speech?
Transcribe audio files using Sber Salute Speech async API. Russian-first STT with support for ru-RU, en-US, kk-KZ, ky-KG, uz-UZ. It is an AI Agent Skill for Claude Code / OpenClaw, with 656 downloads so far.
How do I install salute speech?
Run "/install salute-speech" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is salute speech free?
Yes, salute speech is completely free (open-source). You can download, install and use it at no cost.
Which platforms does salute speech support?
salute speech is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created salute speech?
It is built and maintained by chorus12 (@chorus12); the current version is v1.0.1.
More Skills