byted-las-asr-pro
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill interacts exclusively with verified Bytedance domains (volces.com), which is consistent with the skill's authorship and purpose.\n- [SAFE]: The script scripts/skill.py performs proactive security validation in the _validate_url function. It ensures that user-supplied audio URLs do not resolve to internal or private networks, effectively mitigating Server-Side Request Forgery (SSRF) risks.\n- [SAFE]: Authentication is managed using best practices. The skill retrieves the LAS_API_KEY from environment variables or a local env.sh file, avoiding the risk of hardcoded credentials.\n- [PROMPT_INJECTION]: The skill processes transcription data from the ASR service, creating an indirect prompt injection surface. This is documented for completeness but does not escalate the verdict due to the skill's utility and the absence of dangerous downstream execution.\n
- Ingestion points: Transcription text and utterance data retrieved from the poll API in scripts/skill.py.\n
- Boundary markers: Not explicitly implemented in the summary output.\n
- Capability inventory: The script performs network requests and file writes, but does not use dynamic execution functions like eval on the ingested data.\n
- Sanitization: Results are saved to JSON format without further sanitization.
Audit Metadata