Local STT (Nvidia Parakeet + Whisper Support)

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI04: Agentic Supply Chain Vulnerabilities

What this means

First use may fetch and run external packages needed for transcription, so the user relies on package registry provenance and current package versions.

Why it was flagged

The script is designed to run through uv and resolve Python dependencies at runtime, but the packages are not version-pinned in the artifact.

Skill content

#!/usr/bin/env -S uv run --script
# dependencies = [
#     "onnx-asr",
#     "onnxruntime",
#     "huggingface_hub",
#     "click",
#     "requests",
# ]

Recommendation

Declare uv as a requirement, pin dependency versions or include a lockfile, and document that models/packages may be downloaded on first use.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

If configured, the skill can post transcriptions to Matrix rooms accessible to that token.

Why it was flagged

When Matrix delivery is used, the script uses a Matrix access token to act on the user's Matrix account, although registry metadata declares no primary credential or required environment variables.

Skill content

homeserver = os.environ.get("MATRIX_HOMESERVER")
access_token = os.environ.get("MATRIX_ACCESS_TOKEN")
headers = {"Authorization": f"Bearer {access_token}"}

Recommendation

Document the optional Matrix credential contract clearly, use the least-privileged token available, and only provide --room-id for rooms where posting transcripts is intended.

NoteHigh Confidence

ASI07: Insecure Inter-Agent Communication

What this means

Audio content that may have been expected to stay local can leave the device and become visible in the selected Matrix room.

Why it was flagged

With --room-id, the transcribed audio text is sent to an external Matrix room via the Matrix REST API.

Skill content

payload = {
    'msgtype': 'm.text',
    'body': f'🎙️ {text}',
...
}
resp = requests.put(url, headers=headers, json=payload, timeout=10)

Recommendation

Use Matrix sending only intentionally, avoid sending sensitive audio transcripts to shared rooms, and consider adding an explicit confirmation or clearer documentation for this mode.