ListenHub Asr
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears purpose-aligned for audio transcription, with review-worthy but disclosed caveats around installing an external CLI, downloading local models, running local commands, and optional AI polishing.
Before installing, make sure you trust the `@marswave/coli` CLI and are comfortable with first-run model downloads. Confirm the audio file path before transcription, disable polishing if you need a verbatim transcript, and only export Markdown if you want a transcript file written to the current directory.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may require installing a third-party global command-line tool and downloading model files to the local machine.
The skill depends on a globally installed external CLI and model assets outside the provided artifact set. This is purpose-aligned for local ASR, but users should trust the package and model source.
Tell user to run `npm install -g @marswave/coli` first ... first transcription will auto-download models (~60MB) to `~/.coli/models/`
Install `@marswave/coli` only from a trusted source, and expect the first transcription to use network and disk space for model setup.
The agent will execute a local transcription command that reads the selected audio file.
The agent is instructed to run a local CLI command against a user-provided file path. The confirmation gate and file-existence check make this proportionate to the transcription purpose.
After all parameters are collected, summarize and ask the user to confirm before running any transcription ... `coli asr -j --model {model} "{file}"`Confirm the exact file path and model choice before allowing transcription, especially for private recordings.
Future runs may reuse saved preferences, and polished output may differ from the raw transcript.
The skill persists non-secret preferences and, when polishing is enabled, uses the transcript text in the agent context for rewriting. This is disclosed and user-configurable, but relevant for sensitive or verbatim transcription needs.
echo '{"model":"sensevoice","polish":true}' > "$HOME/.listenhub/asr/config.json" ... If `polish` is `true`, take the raw `text` ... rewrite itSet polishing to false for verbatim transcripts or especially sensitive audio, and delete the local config if you do not want preferences retained.