ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Whisper Local Api

v1.0.0

Secure, offline, OpenAI-compatible local Whisper ASR endpoint for OpenClaw. Features faster-whisper (large-v3-turbo), built-in privacy with no cloud telemetr...

0· 483·0 current·0 all-time
byRoman Slysh@hantok
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims '100% offline & private' but the provided bootstrap script clones a remote GitHub repository (default REPO_URL) and runs code from that repo. Model weights and runtime behavior are not included in the skill bundle, so network access will be required to obtain the server code and likely model files—this contradicts the offline guarantee in the description.
!
Instruction Scope
Runtime instructions direct the operator to run bootstrap.sh, start.sh, healthcheck.sh, and a smoke-test. bootstrap.sh creates a venv and runs 'pip install -r requirements.txt' from the cloned repo; start.sh invokes an external run_server.sh from the cloned repo. The skill executes code that is not bundled with the skill (the remote repo) which may perform arbitrary operations (network I/O, telemetry, filesystem changes). The included scripts use curl only against localhost, but there is no assurance the remote repo will not contact external endpoints.
Install Mechanism
No registry install spec is declared, but bootstrap.sh clones a GitHub repository (https://github.com/Hantok/local-whisper-backend.git by default) and installs Python packages from its requirements.txt. GitHub is a well-known host (lower risk than arbitrary IPs or paste sites), but cloning + pip install means remote code will be fetched and executed—this is a moderate install risk and requires network access.
Credentials
The skill declares no required credentials or sensitive env vars. It does accept optional overrides (WHISPER_DIR, WHISPER_REPO_URL, WHISPER_HEALTHCHECK_URL, WHISPER_API_URL). No secrets are requested. Note: WHISPER_REPO_URL can be set to any repository, which if misused could cause arbitrary code to be installed.
Persistence & Privilege
The skill does not request always:true, does not modify other skills' configs, and does not request elevated or persistent platform privileges. start.sh launches run_server.sh as a background process under the user account; there is no automatic systemd/cron installation in the provided scripts.
What to consider before installing
This skill appears to implement a local Whisper API but relies on cloning and running code from a remote repository and installing Python packages, which undermines the '100% offline' claim. Before installing: (1) inspect the remote repository (the default repo URL or any WHISPER_REPO_URL you set) and review its run_server.sh and requirements.txt for network calls or telemetry; (2) run the bootstrap/start steps inside a disposable VM or container; (3) be prepared that model weights may be downloaded at runtime (network access) and could be large; (4) if you need strict offline guarantees, obtain vetted offline artifacts (server code and model files) and set WHISPER_DIR to a local copy instead of cloning; (5) avoid supplying third-party WHISPER_REPO_URLs unless you trust the source.

Like a lobster shell, security has layers — review code before you run it.

latestvk97em81ray2q2ffcrdgqd2en8d81phpa
483downloads
0stars
1versions
Updated 8h ago
v1.0.0
MIT-0
Roman Slysh@hantok
latest
Download

Whisper Local API - Secure & Private ASR

Deploy a privacy-first, 100% local speech-to-text service in a deterministic way. This allows OpenClaw to process audio transcriptions safely on your own hardware without ever contacting third-party cloud APIs.

Key SEO & Security Features

  • 100% Offline & Private: Your voice data, commands, and transcriptions never leave your host system. Zero cloud dependencies.
  • Highly Accurate: Uses the large-v3-turbo model via faster-whisper, achieving state-of-the-art accuracy even with accents or background noise.
  • Memory Safe: Operates around ~400-500MB of RAM, making it extremely lightweight for VPS or low-resource edge servers.
  • OpenAI API Compatible: Exposes a strict /v1/audio/transcriptions endpoint mimicking OpenAI's JSON format. Compatible natively with any software that supports OpenAI's Whisper API.

Standard Workflow

  1. Install/update runtime: 
    bash scripts/bootstrap.sh
  2. Start service: 
    bash scripts/start.sh
  3. Validate service health: 
    bash scripts/healthcheck.sh
  4. (Optional) Run a smoke transcription test with a local audio file: 
    bash scripts/smoke-test.sh /path/to/test-speech.mp3

Repo Location

Default install/update path used by scripts:

  • ~/whisper-local-api

Override with env var before running scripts:

WHISPER_DIR=/custom/path bash scripts/bootstrap.sh

OpenClaw Integration Notes

After the healthcheck passes, use the secure local endpoint:

  • URL: http://localhost:9000
  • Endpoint: /v1/audio/transcriptions

No authentication tokens are passed over the network.

Safety Rules

  • Ask before any package-manager operations.
  • The API securely binds locally to 0.0.0.0. If exposing to the public internet, deploy behind a secure reverse proxy (like Nginx) and enforce HTTPS + Basic Auth.
  • This service will safely auto-fallback memory allocation modes (float16 -> int8) to prevent CPU crashes.

Comments

Loading comments...