Safety Report

Gemini STT

Name: Gemini STT
Rating: 5 (1 reviews)
Author: araa47

@araa47

Transcribe audio files using Google's Gemini API or Vertex AI

2,603Downloads

6Installs

1Stars

2Versions

API Integration4,971 File Management2,100 Video & Audio1,618

Security Analysis

high confidence

Clean0.08 risk

The skill appears to do what it claims—transcribe audio via Gemini or Vertex AI—and its code and instructions are consistent with that purpose, but the registry metadata omits required authentication details and should be corrected/verified before use.

Feb 11, 20262 files2 concerns

Purpose & Capabilitynote

Skill name/description (Gemini/Vertex STT) match the code and runtime instructions. The only mismatch is registry metadata claiming 'no required env vars' while SKILL.md and the script require either GEMINI_API_KEY or Google ADC (gcloud). This is an inconsistency in metadata, not in functionality.

Instruction Scopeok

Runtime instructions and the script are scoped to reading an audio file, base64-encoding it, and calling Google Gemini or Vertex endpoints. It invokes 'gcloud' only to obtain an access token/project configuration. It does not read unrelated system files or send data to unexpected endpoints.

Install Mechanismok

No install spec; the skill is instruction-only with a single Python script that uses only the standard library. Low risk from installation artifacts.

Credentialsnote

Authentication requirements (GEMINI_API_KEY or gcloud ADC and possibly GOOGLE_CLOUD_PROJECT/CLOUDSDK_CORE_PROJECT) are appropriate for contacting Gemini/Vertex. However, the skill metadata declares no required environment variables or primary credential, which is inaccurate and could mislead users about needed credentials.

Persistence & Privilegeok

The skill does not request permanent inclusion (always:false), does not modify other skills or system settings, and does not persist credentials. It runs commands locally (gcloud) but does not escalate privileges or change system-wide configuration.

Guidance

This skill is coherent with its stated purpose, but before installing: (1) be aware it requires authentication—either set GEMINI_API_KEY or run 'gcloud auth application-default login' and ensure a proper GCP project is configured; the registry metadata currently omits these requirements. (2) Using ADC (gcloud) will cause the script to call 'gcloud auth print-access-token' and use your ADC permissions to call Vertex; prefer a least-privilege service account or isolated environment if you are concerned about exposing broader GCP credentials. (3) GEMINI_API_KEY should be stored securely (not in world-readable files). (4) Review and run the script in a safe environment if you want to inspect network calls; endpoints contacted are standard Google APIs (generativelanguage.googleapis.com and *.aiplatform.googleapis.com). If you need the metadata fixed or want the skill to declare GEMINI_API_KEY / GOOGLE_CLOUD_PROJECT as required, request that from the publisher before trusting it in production.

Latest Release

v1.1.0

Added support for Google Vertex AI with Application Default Credentials (ADC). Now supports both GEMINI_API_KEY and gcloud ADC authentication methods. Auto-detects authentication method.

More by @araa47

Local Whisper

8 stars

Local STT (Nvidia Parakeet + Whisper Support)

0 stars

vizclaw

0 stars

ez-google

0 stars

EZ Unifi

0 stars

md-2-pdf

0 stars

Published by @araa47 on ClawHub