← 返回 Skills 市场
419
总下载
1
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install yandex-speechkit-stt
功能描述
Распознавание речи через Yandex SpeechKit API для голосовых сообщений в Telegram. Используй когда пользователь отправляет голосовые сообщения и хочет, чтобы...
安全使用建议
This skill will ask you to provide a Yandex service account private key (via config.json) and includes a monitor script that watches a specific inbox directory and sends transcripts to a hardcoded Telegram target (id 271578652). Before installing: 1) Do not provide your Yandex service-account private key unless you fully trust the author — private keys can be used to consume cloud resources or access data. 2) Inspect and modify the code if you plan to use it: change INBOX_DIR/WORKSPACE paths to match your environment, remove or replace the hardcoded Telegram target so messages are returned to the originating chat, and add 'openclaw' as a declared required binary (or confirm the intended messaging mechanism). 3) Run the code in a sandbox or isolated account first (use a disposable Yandex account with limited permissions). 4) If you cannot audit or safely modify the script, avoid running the background monitor; prefer invoking the standalone yandex_stt.py manually with controlled inputs. 5) If you want to proceed, ensure config.json is stored with least privilege and rotated if leaked. These mismatches (paths, undeclared dependency, and hardcoded recipient) make the skill suspicious rather than clearly benign.
功能分析
Type: OpenClaw Skill
Name: yandex-speechkit-stt
Version: 1.0.0
The skill is designed to process voice messages via Yandex SpeechKit and send the recognized text back to the OpenClaw platform. It is classified as 'suspicious' due to the use of `subprocess.run` in `scripts/voice_processor.py` to execute `openclaw message send` with user-controlled recognized text as an argument. This presents a potential shell/argument injection vulnerability if the `openclaw` binary or the underlying OpenClaw platform does not adequately sanitize or escape the `--message` argument, which could lead to remote code execution or prompt injection against the agent. While the intent of the skill is benign, this interaction point represents a significant vulnerability.
能力评估
Purpose & Capability
Name/description match the code's STT functionality, but the runtime requires/uses things that were not declared and are unexpected: the background script invokes an 'openclaw' CLI (not listed in required binaries) and hardcodes a Telegram target id (271578652) to which transcripts are sent instead of sending them back to the originating chat. This hardcoded target is disproportionate to the stated purpose and could redirect user data to a third-party account.
Instruction Scope
The runtime instructions and code access and monitor system paths outside the skill directory (WORKSPACE '/home/mockingjay/.openclaw/workspace', INBOX_DIR '/home/mockingjay/.openclaw/media/inbound') and write a processed-state file ('/home/mockingjay/.openclaw/.voice_processed.json'). The monitor (voice_processor.py) runs an infinite loop, converts/segments audio, obtains IAM tokens from a service account private key, and unconditionally sends recognized text to a fixed Telegram target via 'openclaw message send'. The SKILL.md tells you to put config.json 'in the skill folder', but voice_processor expects config in the workspace skills path — a clear path mismatch.
Install Mechanism
The skill is instruction-only (no installer that downloads arbitrary artifacts), and SKILL.md lists pip packages (PyJWT, cryptography, requests) which are reasonable for JWT-based IAM flows and HTTPS calls. No remote arbitrary code downloads or URL-based extract installs are present. However, code files are included and will execute local commands (ffmpeg, ffprobe, rm), so although install risk is low, execution risk remains.
Credentials
Registry metadata lists no required env vars, but the code expects a config.json containing service account private_key, id, service_account_id and folder_id (sensitive credentials). The SKILL.md instructs creating config.json, but the script reads it from a different hardcoded workspace path. The skill therefore requires highly sensitive credentials (service account private key) yet does not declare or document their handling proportionately, nor does it limit where transcripts are sent.
Persistence & Privilege
The skill includes a continuously running monitor script that scans an inbox directory and persists state to a workspace-wide file. While 'always: false' is set, the script's behavior is effectively a persistent/background agent: it reads system media directories, writes state to a workspace file, and autonomously posts data to a Telegram target. Combined with the hardcoded external recipient, this raises persistence and data-exfiltration concerns.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install yandex-speechkit-stt - 安装完成后,直接呼叫该 Skill 的名称或使用
/yandex-speechkit-stt触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of Yandex SpeechKit STT skill:
- Enables speech recognition for Telegram voice messages via Yandex SpeechKit API.
- Supports OggOpus, WAV, and MP3 audio formats.
- Automatically trims audio to 28 seconds to comply with Yandex limits.
- Handles IAM token generation and refresh using service account credentials.
- Usable both from command line and as a Python module.
元数据
常见问题
Yandex Speechkit STT via Telegram Gateway 是什么?
Распознавание речи через Yandex SpeechKit API для голосовых сообщений в Telegram. Используй когда пользователь отправляет голосовые сообщения и хочет, чтобы... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 419 次。
如何安装 Yandex Speechkit STT via Telegram Gateway?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install yandex-speechkit-stt」即可一键安装,无需额外配置。
Yandex Speechkit STT via Telegram Gateway 是免费的吗?
是的,Yandex Speechkit STT via Telegram Gateway 完全免费(开源免费),可自由下载、安装和使用。
Yandex Speechkit STT via Telegram Gateway 支持哪些平台?
Yandex Speechkit STT via Telegram Gateway 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Yandex Speechkit STT via Telegram Gateway?
由 strydex(@strydex)开发并维护,当前版本 v1.0.0。
推荐 Skills