← 返回 Skills 市场
Voice Transcriber Pro
作者
aiwithabidi
· GitHub ↗
· v1.0.0
731
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install voice-transcriber-pro
功能描述
Voice note transcription and archival for OpenClaw agents. Powered by Deepgram Nova-3. Transcribes audio messages, saves both audio files and text transcript...
安全使用建议
This skill is functionally a transcriber, but the metadata, docs, and code don't line up. Before installing: (1) Do not provide DEEPGRAM_API_KEY expecting it to be used — the scripts currently call OpenAI/openrouter endpoints instead. (2) Inspect ~/.openclaw/workspace/.env for secrets; the transcribe.sh will read that file for OPENROUTER_API_KEY if present, which could expose other keys. (3) If you want Deepgram, either modify the scripts to actually use Deepgram or prefer a skill that declares and uses the correct provider. (4) Be aware that audio files will be uploaded to external services (api.openai.com and openrouter.ai) — only do this if you are comfortable sending sensitive audio to those providers. (5) If you lack the ability to audit/modify the code, run this only in a controlled/sandboxed environment and avoid placing other credentials in ~/.openclaw/workspace/.env. Given the mismatches and undeclared env usage, treat this skill with caution or seek a corrected/reviewed release.
功能分析
Type: OpenClaw Skill
Name: voice-transcriber-pro
Version: 1.0.0
The skill is classified as suspicious primarily due to a path traversal vulnerability in `scripts/save_voice_note.py`. The `shutil.copy2(audio_path, audio_dest)` call does not sanitize the `audio_path` input, allowing an attacker to write files to arbitrary locations on the filesystem by providing paths like `../../evil.ogg`. Additionally, the `transcript` argument is written directly into a markdown journal file without sanitization, creating a potential prompt injection vector if the agent later processes its own journal entries. The `scripts/transcribe.sh` script performs expected API calls to OpenAI/OpenRouter for transcription and handles API keys in a standard manner for OpenClaw skills, without clear malicious intent.
能力评估
Purpose & Capability
The metadata and description advertise Deepgram Nova-3 and list DEEPGRAM_API_KEY and jq as required, but the actual scripts use OpenAI's audio transcription endpoint and openrouter.ai. The code does not use DEEPGRAM_API_KEY and does not call jq; conversely it relies on Python3 and environment variables (OPENAI_API_KEY, OPENROUTER_API_KEY) that are not declared. This mismatch is disproportionate and inconsistent with the stated purpose/provider.
Instruction Scope
SKILL.md instructs running bundled scripts which post audio files to external APIs (api.openai.com and openrouter.ai). transcribe.sh will read OPENROUTER_API_KEY from ~/.openclaw/workspace/.env if not in env — a user-local env file that may contain other secrets. save_voice_note.py writes audio and Markdown journal files under ~/.openclaw/workspace/memory, which is plausible for a journaling skill, but reading ~/.openclaw/workspace/.env and sending audio to third-party endpoints are not documented in SKILL.md and expand scope beyond the advertised Deepgram integration.
Install Mechanism
No remote install or download spec is present (instruction-only with bundled scripts). That lowers risk from arbitrary code fetches. The included scripts will be present on disk as part of the skill bundle, but no external installers or network-based install steps are invoked by the skill itself.
Credentials
The registry declares DEEPGRAM_API_KEY as the primary credential but the scripts use OPENAI_API_KEY and OPENROUTER_API_KEY (and also attempt to read ~/.openclaw/workspace/.env). Asking for a Deepgram key while not using it is misleading. Requiring or accessing other API keys and a workspace .env file is disproportionate and increases the chance of unintentionally exposing unrelated secrets.
Persistence & Privilege
The skill does not request always:true and writes only to ~/.openclaw/workspace/memory which is expected for agent memory. However, it also reads ~/.openclaw/workspace/.env (potentially containing other credentials) — this cross-file access is not declared and elevates the skill's effective privilege to access local secret material beyond its stated scope.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install voice-transcriber-pro - 安装完成后,直接呼叫该 Skill 的名称或使用
/voice-transcriber-pro触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Audio transcription via Whisper + voice note journaling
元数据
常见问题
Voice Transcriber Pro 是什么?
Voice note transcription and archival for OpenClaw agents. Powered by Deepgram Nova-3. Transcribes audio messages, saves both audio files and text transcript... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 731 次。
如何安装 Voice Transcriber Pro?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install voice-transcriber-pro」即可一键安装,无需额外配置。
Voice Transcriber Pro 是免费的吗?
是的,Voice Transcriber Pro 完全免费(开源免费),可自由下载、安装和使用。
Voice Transcriber Pro 支持哪些平台?
Voice Transcriber Pro 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Voice Transcriber Pro?
由 aiwithabidi(@aiwithabidi)开发并维护,当前版本 v1.0.0。
推荐 Skills