stepfun-asr
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: No security issues detected. The skill performs its stated function and interacts with the official StepFun API.\n- [EXTERNAL_DOWNLOADS]: The script
scripts/asr_transcribe.pymakes network requests toapi.stepfun.comfor audio transcription. This is a well-known service and necessary for the skill's functionality.\n- [CREDENTIALS_UNSAFE]: The skill manages theSTEPFUN_API_KEYthrough environment variables or a configuration file in a dedicated plugin data directory. This is consistent with secure secret management practices for AI agents.\n- [PROMPT_INJECTION]: The skill processes user-provided audio data which introduces a surface for indirect prompt injection.\n - Ingestion points: Audio data is read from the file system in
scripts/asr_transcribe.py.\n - Boundary markers: No boundary markers or instructions to ignore embedded content are used in the processed transcription.\n
- Capability inventory: The skill performs network operations (
urllib.request) to the StepFun API inscripts/asr_transcribe.py.\n - Sanitization: The skill does not perform sanitization of the transcription output.
Audit Metadata