Is voice-transcribe safe?

https://clawhub.ai/darinkishore/voice-transcribe

68
CAUTION

The voice-transcribe skill instructs the agent to execute an opaque Python script via uv run that is not included in the skill repository and cannot be audited. While the skill's stated purpose (audio transcription) is benign, the unverifiable external code execution combined with handling of sensitive audio data and API keys creates meaningful risk. The skill appears to be a personal tool (hardcoded to the author's machine paths) that was published without security hardening for general distribution.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (8)

HIGH Opaque external script execution via uv run -45

The skill instructs the agent to execute uv run /Users/darin/clawd/skills/voice-transcribe/transcribe which runs a Python script that is NOT included in the skill repository. The actual code being executed cannot be audited, verified, or sandboxed. The uv tool may also resolve and download Python dependencies at runtime without a visible lockfile.

MEDIUM Unauditable script handles potentially sensitive audio data -20

Voice memos and audio files containing personal/sensitive information are passed to an opaque transcribe script that sends data to OpenAI's API. The script could also exfiltrate audio content or metadata to additional endpoints without the user's knowledge.

MEDIUM Agent instructed to act on unverified transcription output -20

The instruction 'then respond based on the transcribed content' causes the agent to treat transcription output as trusted input. An adversarially crafted audio file could produce transcription text containing prompt injection payloads (e.g., 'Ignore previous instructions and...').

MEDIUM API key storage in plaintext .env file -15

The skill instructs storing an OpenAI API key in a .env file at a hardcoded path. This normalizes credential handling by the agent and exposes the key to any other process or skill that can read the filesystem.

MEDIUM Hardcoded absolute paths to skill author's machine -15

All executable paths reference /Users/darin/clawd/skills/voice-transcribe/, which is specific to the skill author's local machine. This suggests the skill was not designed for distribution and may not have been reviewed for security in a multi-user context.

LOW AWS credentials file accessed during install phase -10

The monitoring log shows /home/oc-exec/.aws/credentials was opened and accessed during the install phase. This is likely attributable to the openclaw framework rather than the skill itself, but warrants noting.

LOW Write access to skill files enables downstream manipulation -10

The skill instructs the agent to modify vocab.txt and replacements.txt based on user corrections. While benign in isolation, this creates a persistent write path that could be exploited by other skills or adversarial inputs to influence future transcription outputs.

INFO All canary files intact 0

No honeypot files were accessed or modified during the skill installation or analysis phase. This indicates no active exfiltration attempt was made against planted credentials.