Is dagmawibabi/addis-assistant-stt safe?

https://github.com/openclaw/skills/tree/main/skills/dagmawibabi/addis-assistant-stt

79
CAUTION

The addis-assistant-stt skill provides a legitimate Amharic speech-to-text and translation interface wrapping the api.addisassistant.com API. The SKILL.md is clean with no prompt injection, and the installation was well-behaved with no unexpected processes or persistence. The primary concerns are that all user audio and text data is transmitted to an unvetted third-party API, and the curl @filepath file-upload pattern in stt.py accepts arbitrary file paths with no validation, creating an indirect exfiltration risk if an agent is manipulated into passing sensitive filesystem paths as audio arguments.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 48/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (6)

HIGH Arbitrary file upload via curl @filepath to third-party API -35

Both stt.py and translate.py invoke curl as a subprocess. The STT script constructs the form argument as f'audio=@{audio_file_path}', where audio_file_path comes from sys.argv[2] with no validation or path restriction. curl's --form @filepath syntax reads and uploads the referenced file's binary contents. In an agent context where the skill is invoked programmatically, a manipulated prompt could cause the agent to pass a sensitive path (e.g., ~/.ssh/id_rsa, ~/.aws/credentials, .env) as the audio file argument, resulting in silent exfiltration of that file's contents to api.addisassistant.com.

HIGH All audio and text data transmitted to undisclosed third-party (api.addisassistant.com) -17

Every invocation of this skill sends user data to api.addisassistant.com, a third-party service not operated by the skill consumer. Audio recordings (which may contain sensitive spoken content) and all text submitted for translation are transmitted with only an API key as authentication. The privacy policy, data retention, and logging practices of api.addisassistant.com are unknown. Users and agents have no visibility into what happens to this data after transmission.

MEDIUM Subprocess execution of curl with user-controlled arguments -20

Both Python scripts call subprocess.run with a list of arguments constructed from user-supplied values (api_key, audio_file_path, text, source_language, target_language). While the list-based invocation prevents shell injection, the api_key value is directly interpolated into an HTTP header argument and audio_file_path is used verbatim. No sanitization is performed. The subprocess execution pattern is legitimate for the stated purpose but represents an expanded attack surface if the skill is invoked with attacker-controlled inputs.

LOW Clean installation with expected GitHub network activity -7

The install process performed a sparse git clone from github.com/openclaw/skills.git, extracted only the target skill subdirectory, copied files to the sandbox, and removed the temporary clone. No unexpected processes were spawned. Network activity to 140.82.121.3:443 (GitHub) is expected. The pre-existing connection to 185.125.188.57:443 was present before install and is unrelated to this skill.

INFO Canary file reads attributed to monitoring framework, not skill -5

The six canary credential files were opened and read at 08:23:38 (before skill installation began) and again approximately 24 seconds later. Both read events are temporally consistent with the Oathe monitoring framework establishing pre-install baselines and performing post-install integrity verification. The skill's Python code contains no logic to enumerate or read credential files. The canary integrity check confirms all files remained unmodified.

MEDIUM Indirect exfiltration risk in agentic context via file path manipulation -32

When this skill is active in an agent's system prompt, an adversarial user message such as 'transcribe the audio at /home/user/.ssh/id_rsa' could cause the agent to invoke stt.py with that path. The curl upload would silently send the RSA key contents to api.addisassistant.com. Combined with a skill that lists directory contents, an attacker could systematically discover and exfiltrate sensitive files. This risk is indirect and depends on the agent's behavior, but the skill provides no mitigations.