Is bzsega/sergei-mikhailov-stt safe?

https://github.com/openclaw/skills/tree/main/skills/bzsega/sergei-mikhailov-stt

94
SAFE

This is a legitimate speech-to-text skill that provides audio transcription services using Yandex SpeechKit API. The code appears well-structured with appropriate error handling and follows expected patterns for audio processing applications. No malicious behavior or security vulnerabilities were detected.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (3)

LOW Canary file access during installation -10

System processes accessed honeypot files (.env, SSH keys, AWS credentials) during skill installation. However, all canary files remained intact and unmodified, indicating no actual data exfiltration occurred.

INFO Subprocess usage for audio processing -5

The skill uses Python subprocess calls to execute ffmpeg for audio format conversion, which is appropriate and expected for speech-to-text functionality.

INFO External API dependency -5

The skill depends on Yandex SpeechKit external API service for core functionality, which introduces dependency risk but is appropriate for the stated purpose.