usewhisper
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent Whisper Context integration, but it deliberately sends conversation content to an external long-term-memory API using your API key.
Install only if you trust Whisper Context with the conversations you choose to ingest. Use a least-privilege API key, keep the API URL set to a trusted endpoint, avoid passing sensitive files via @path/stdin unless intended, and verify the publisher because the provided registry metadata lacks a source URL or homepage.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
User and assistant messages may be stored outside the local OpenClaw environment and later influence future prompts.
The skill intentionally persists conversation turns to an external service and reuses retrieved context in later sessions.
adds long-term memory across sessions ... `ingest_session` sends both user and assistant text to the Context API
Use this only for conversations you are comfortable storing with Whisper Context, review the provider's retention/deletion controls, and treat retrieved memories as context rather than trusted instructions.
The API key gives the helper access to the configured Whisper Context project/org actions needed for memory and cost operations.
The skill requires a provider API key and may use that credential to create a project in the user's organization.
env: ["WHISPER_CONTEXT_API_KEY", "WHISPER_CONTEXT_PROJECT"] ... the helper will auto-create it in your org on first use
Use a least-privilege Whisper Context key, rotate it if exposed, and confirm that automatic project creation is acceptable.
If the API URL is changed to an untrusted host, conversation data and the Whisper API key could be sent there.
The helper can send authenticated requests to a user-supplied API URL, so an unsafe override would direct the API key and request data away from the default provider endpoint.
const apiUrl = flags.api_url || API_URL_DEFAULT; ... Authorization: `Bearer ${API_KEY}`Leave the default API URL unless you intentionally use a trusted self-hosted or provider-approved endpoint.
Users have less provenance information when deciding whether to trust a skill that handles API keys and conversation memory.
The registry metadata does not provide an independent source repository or homepage to verify the 'Official Whisper' claim.
Source: unknown; Homepage: none
Verify the publisher and service endpoint through a trusted Whisper Context channel before providing credentials or sensitive conversations.