← 返回 Skills 市场
145
总下载
1
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install xiabb
功能描述
免费 macOS 语音转文字,专为 Vibe Coding 设计。按住 Globe 键说话,文字自动出现在光标位置。支持智能模式:翻译、Prompt 优化、邮件生成。Powered by Google Gemini。
安全使用建议
What to consider before installing:
- Metadata mismatch: the registry did not declare required environment variables, but SKILL.md requires a GEMINI API key (GEMINI_API_KEY or ~/.api-key). Expect to provide that key for the app to work.
- High‑privilege behavior: the app needs macOS Accessibility permissions (global key capture) and performs text injection (AXUIElement or simulated paste). Granting Accessibility lets the app observe/affect other apps — only proceed if you trust the source and code.
- Inspect install/uninstall scripts: the package includes install.sh, native build scripts, and uninstall.sh. Review these scripts before running them for unsafe operations (e.g., dangerous rm -rf usage, writing files to system locations, or invoking remote code). Build from source yourself if possible.
- API key handling: ensure the key is not embedded in URLs or logs. Prefer storing credentials in the OS keychain rather than plaintext files; confirm the code sends the key in HTTP headers (not query strings).
- Verify provenance: the SKILL.md points to a GitHub repository and releases — check that repository (commits, stars, issues, author identity) and verify the distributed binary is notarized by Apple if you plan to run the prebuilt release.
- Test safely: if you want to try it, run it in a controlled environment first (dedicated test macOS account or VM), and monitor network traffic to confirm it only talks to expected endpoints (Google Gemini endpoints and GitHub).
- If you lack the ability to audit code, prefer not to grant Accessibility or run install scripts; consider using an alternative vetted solution.
Confidence notes: the assessment is based on the included SKILL.md and repository files; no automated scan flags were provided. The issues found (metadata mismatch, API key handling, and shell scripts) could be legitimate design choices or sloppy packaging; that ambiguity is why the verdict is "suspicious" rather than "benign".
能力评估
Purpose & Capability
The skill's description and SKILL.md match each other (a macOS app that captures a Globe key press, streams audio to Google Gemini, and injects text). However registry metadata lists no required environment variables while the SKILL.md explicitly requires a GEMINI_API_KEY (or .api-key file). That mismatch is an inconsistency the author should have declared in metadata but is otherwise consistent with the stated purpose.
Instruction Scope
Runtime instructions ask the user to grant Accessibility permissions (global event tap) and to add Terminal.app to Accessibility — both are required for global key capture and text injection but are high‑impact actions. The instructions also tell users to run install.sh / build.sh and to store an API key in ~/.api-key or an environment variable. The skill's behavior (AXUIElement / simulated paste or CGEvent injection) will write text into other apps and requires macOS privacy privileges; that is functionally coherent but broad in scope and warrants explicit user understanding and review.
Install Mechanism
There is no platform install spec in the registry (instruction-only), but the bundle includes install.sh, native/build.sh and uninstall.sh — i.e., install scripts that will run on the user's machine. The repo references official GitHub releases (not a random URL), which is preferable to arbitrary downloads, but any included shell scripts should be inspected before execution because they will write files and modify system state.
Credentials
Functionally the skill needs a Gemini API key, which the SKILL.md asks for; requesting GEMINI_API_KEY is proportionate to the stated cloud‑API purpose. But the registry metadata omits this requirement (declares no required env vars), creating an incoherence. The SKILL.md also suggests storing the key in a plaintext file (~/.api-key), which is a weaker storage approach; the code content notes earlier unsafe patterns (e.g., originally placing API key in URL query). These are security/operational concerns to address before use.
Persistence & Privilege
The skill does not request always:true and is user-invocable (normal). However, it requires macOS Accessibility (AX) privileges and can inject keystrokes / write into other applications — a high privilege for a skill. That privilege is consistent with a global hotkey + input-injection tool, but it increases risk: only install if you trust the code and the publisher.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xiabb - 安装完成后,直接呼叫该 Skill 的名称或使用
/xiabb触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.3.2
Smart Modes
v1.1.5
修复版本一致性:skill v1.1.5 引用 app release v1.1.3
v1.1.4
Fix security scan: remove swiftc requirement, add checksum, declare config path, add security section
v1.1.3
Initial release — 免费 macOS 语音转文字,专为 Vibe Coding 设计
元数据
常见问题
Xiabb 是什么?
免费 macOS 语音转文字,专为 Vibe Coding 设计。按住 Globe 键说话,文字自动出现在光标位置。支持智能模式:翻译、Prompt 优化、邮件生成。Powered by Google Gemini。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 145 次。
如何安装 Xiabb?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xiabb」即可一键安装,无需额外配置。
Xiabb 是免费的吗?
是的,Xiabb 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Xiabb 支持哪些平台?
Xiabb 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Xiabb?
由 dyz2102(@dyz2102)开发并维护,当前版本 v1.3.2。
推荐 Skills