ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Faster Whisper

v1.5.1

Local speech-to-text using faster-whisper. 4-6x faster than OpenAI Whisper with identical accuracy; GPU acceleration enables ~20x realtime transcription. SRT...

4· 5.9k·37 current·38 all-time
bySarah Mak@theplasmak
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the provided artifacts: a transcription CLI (scripts/transcribe.py), a setup script (setup.sh), and requirements.txt pointing to faster-whisper. Declared binaries (python3) and optional bins (ffmpeg, yt-dlp) make sense for audio processing and URL/YouTube input.
Instruction Scope
SKILL.md instructs the agent to invoke the included CLI (./scripts/transcribe) and to add flags only on user request; it does not ask the agent to read unrelated system files or exfiltrate data. It does explicitly support downloading remote media (yt-dlp) and fetching models/credentials from Hugging Face when diarization is requested. Minor inconsistency: metadata lists ffmpeg as optional, but setup.sh exits if ffmpeg is missing (setup enforces ffmpeg as required).
Install Mechanism
There is no automated registry install spec; installation is via the included setup.sh which creates a virtualenv and pip-installs packages (faster-whisper and related deps). This is expected for a Python-based tool. Risk is moderate only because pip will fetch packages (and potentially large PyTorch/CUDA wheels) from PyPI/Hugging Face—no obscure arbitrary URL downloads or extract-from-unknown-host patterns were present in the provided scripts.
Credentials
The skill declares no required environment variables or credentials. The only optional path (~/.cache/huggingface/token) is justified by the optional speaker-diarization feature which needs a Hugging Face token for restricted models. No unrelated secrets or broad credential requests were found.
Persistence & Privilege
always is false and the skill does not request elevated or system-wide privileges. setup.sh will create a local .venv in the skill directory and install packages there—normal behavior and limited to the skill's directory. The skill does not modify other skills or system-wide agent config.
Assessment
This appears to be a legitimate local transcription skill. Before installing/running: 1) Review setup.sh and scripts/transcribe.py yourself (they will run locally and create a .venv in the skill folder). 2) Expect pip to download faster-whisper and (optionally) PyTorch/CUDA wheels—these downloads come from PyPI/Hugging Face, so ensure network access and trust those sources. 3) Note the minor metadata mismatch: the package declares ffmpeg as optional but setup.sh requires ffmpeg and will abort if it isn't present. 4) yt-dlp will download remote media when you supply URLs; using diarization will read ~/.cache/huggingface/token (Hugging Face auth) if present or require you to provide a token. 5) If you have security concerns, run the setup/install in an isolated environment (container or VM) and inspect network activity during model downloads.

Like a lobster shell, security has layers — review code before you run it.

latestvk9741qtbapmzbsj5dca63m8cfs81c4fs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🗣️ Clawdis
Binspython3

Comments