Back to skill
Skillv1.0.3
ClawScan security
Voice messaging setup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 1, 2026, 7:03 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are consistent with a local STT+TTS setup: it creates a venv, installs faster-whisper, writes a transcription script, and shows OpenClaw config changes; it does not request unrelated credentials or hidden installs, but it will download large ML models and install native dependencies.
- Guidance
- This skill appears to do what it claims, but before running: (1) review and back up ~/.openclaw/openclaw.json — the instructions modify it; (2) expect pip to install large/native packages (onnxruntime, ctranslate2, ffmpeg may be needed) and for faster-whisper to download model weights from the Hugging Face hub (large disk and network usage); (3) prefer running the install steps manually in a terminal so you can inspect outputs and resolve missing system packages; (4) confirm the TTS 'edge' provider behavior in your OpenClaw environment (some providers may still call external services); (5) if you have security or bandwidth constraints, run this in an isolated machine or container. If you want me to, I can (a) extract the exact file changes the SKILL.md will make, (b) produce step-by-step shell commands you can run interactively, or (c) list additional system packages you may need (ffmpeg, build tools) for faster-whisper to install successfully.
Review Dimensions
- Purpose & Capability
- okThe name/description (STT + TTS using faster-whisper and Edge TTS) match the actions in SKILL.md: creating a venv, installing faster-whisper, creating a transcribe.py, and adding OpenClaw config entries for media.audio and messages.tts. Nothing requested or shown is unrelated to providing local transcription and TTS.
- Instruction Scope
- noteThe instructions direct the agent to create files under ~/.openclaw/workspace/voice-messages, install packages into that venv, and modify ~/.openclaw/openclaw.json. These actions are expected for this purpose, but they do write to the user's home and update OpenClaw config — the user should review/backup that config before applying changes. The SKILL.md does not explicitly warn that model weights will be downloaded at runtime (faster-whisper/huggingface-hub), which is an important runtime behavior to be aware of.
- Install Mechanism
- okNo packaged install spec is present; the SKILL.md includes shell commands to create a Python venv and pip install faster-whisper. Using pip in an isolated venv is a reasonable install mechanism. The packages pulled (faster-whisper and its deps) come from PyPI/huggingface and are expected for transcription. There is no download from untrusted personal URLs or extract-from-URL steps in the manifest.
- Credentials
- noteThe skill declares no environment variables or credentials, which is proportional. However, faster-whisper/huggingface-hub will perform network downloads of model artifacts (potentially large) and could prompt for HF auth if private models are used; the SKILL.md does not explicitly call this out. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okThe skill is instruction-only and not always-enabled; it does not request elevated privileges or modify other skills. It proposes editing the agent's openclaw.json configuration (its own runtime configuration), which is appropriate for enabling STT/TTS.