Is dumoedss/acestep-lyrics-transcription safe?
https://github.com/openclaw/skills/tree/main/skills/dumoedss/acestep-lyrics-transcription
The acestep-lyrics-transcription skill is a legitimate audio transcription wrapper for OpenAI Whisper and ElevenLabs Scribe with no evidence of malicious design, prompt injection, or active data exfiltration. The primary security concerns are a shell injection vulnerability in the set_config() function (unquoted variable interpolation allowing command substitution), the design pattern of passing user API keys as plaintext CLI arguments, and unconstrained configurable API URL fields that could silently redirect credentials. No canary files were accessed or modified by the skill, and clone behavior was clean.
Category Scores
Findings (7)
MEDIUM Shell injection in set_config() via unquoted $value interpolation -22 ▶
In set_config(), the $value argument is interpolated directly inside a double-quoted bash string that becomes the jq command argument: jq "$jq_path = \"$value\"" "$CONFIG_FILE". Double-quoting does not suppress command substitution in bash, so if $value contains $(cmd) or backtick expressions, bash will execute them before invoking jq. This is exploitable if a user is tricked into providing a malicious string as an API key value through the skill's AskUserQuestion flow.
MEDIUM API keys collected and passed as plaintext command-line arguments -18 ▶
SKILL.md instructs the agent to collect API keys from the user and immediately pass them as literal command-line arguments to the bash script (config --set openai.api_key sk-...). The key is visible in /proc/
MEDIUM Configurable API URLs enable silent credential and audio redirection -15 ▶
The openai.api_url and elevenlabs.api_url configuration fields are fully user-settable via config --set and are used verbatim in curl invocations without validation or pinning. If these fields are modified to point to an attacker-controlled HTTPS endpoint, all subsequent API calls will send the stored API key (in the Authorization header) and the full audio file to that endpoint. There is no integrity check on these URLs.
LOW jq_path constructed from unsanitized $key with potential jq expression injection -5 ▶
The jq_path variable is built as .${key} and embedded in jq filter strings. While jq does not support exec() or system() calls, a crafted key value with jq path/filter syntax could produce unexpected jq behavior, including overwriting unintended config fields or causing jq parse errors that might be exploited in unusual jq versions.
LOW Latent exploitation chain: social engineering + shell injection + configurable endpoints -10 ▶
While no exploitation is occurring in this audit, the combination of (1) the skill prompting users to provide API keys, (2) shell injection in set_config(), and (3) configurable API URLs creates a plausible multi-step attack: trick a user into providing a crafted API key value that exfiltrates data or modifies the API URL to redirect future credentials. Neither step is individually catastrophic but the combination increases risk.
LOW API key management design exposes secrets in process space during configuration -10 ▶
The skill's design pattern of collecting API keys via interactive prompts and immediately writing them to disk via CLI arguments is a suboptimal secret-handling pattern. Keys transit through process arguments (observable via /proc), and are stored in a plaintext JSON file within the skill directory. This is consistent with many third-party scripts but warrants awareness.
INFO Installation accessed only expected GitHub infrastructure -5 ▶
The skill installation exclusively contacted github.com (140.82.113.3:443) for the git clone operation. No other outbound connections were initiated. The sparse-checkout correctly isolated the target skill subdirectory. Post-install network state is clean with no new listeners.