Local Whisper
Security checks across malware telemetry and agentic risk
Overview
Local Whisper appears to be a coherent local speech-to-text skill, with only a user-directed dependency-install/provenance note to review.
This skill looks reasonable for offline transcription. Before installing, review the manual dependency install command, consider pinning package versions, and verify the expected local-whisper executable or wrapper exists because the reviewed code file is scripts/transcribe.py.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may pull Python packages from external repositories before the tool can run locally.
The setup instructions ask the user to install unpinned external Python dependencies. This is purpose-aligned for local Whisper, but it creates a normal supply-chain review point.
uv pip install --python .venv/bin/python click openai-whisper torch --index-url https://download.pytorch.org/whl/cpu
Install only if you trust the package source; preferably use pinned versions or a lockfile, and verify the intended command wrapper is present before use.