Skillv1.0.0

ClawScan security

Speech to text · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 8, 2026, 9:47 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions align with its stated purpose (local Whisper-based Portuguese STT); it reads and moves local audio files and writes JSON transcriptions, and does not request unrelated credentials or network endpoints beyond model downloads.
Guidance: This skill appears to do exactly what it says: local transcription using OpenAI Whisper. Before installing, consider: (1) Whisper will download model files on first run (can be large and requires network access); (2) you must install FFmpeg separately and ensure the 'inbound' folder path matches the script's computed path (SKILL.md's mkdir path may not match your environment); (3) the script will read and move any audio files placed in that folder and will write JSON transcriptions to an output directory—do not place sensitive audio there unless you are comfortable with it being processed and stored locally; (4) review requirements.txt and install dependencies in an isolated environment (virtualenv/container) to limit systemic impact. I reviewed the provided files and saw no code that exfiltrates data or requests unrelated credentials; if you want extra assurance, run the script in a sandboxed environment and inspect the full (non-truncated) stt_processor.py before production use.

Review Dimensions

Purpose & Capability: okName and description match the included code and SKILL.md: the package implements a Whisper-based transcriber, supports the listed audio formats and timestamps, and saves/moves files as expected. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteSKILL.md instructions are narrowly scoped to installing Python deps, FFmpeg, creating an inbound folder, and running the script. The script operates on a local media/inbound folder and writes transcriptions to an output directory. Two minor issues to be aware of: (1) SKILL.md asks to create ../../../media/inbound — the script computes a media path relative to the script location (workspace_dir = Path(__file__).parent.parent.parent then .parent / 'media'), so you should verify the exact folder path used in your deployment to avoid missed files; (2) Whisper will download model weights on first run (network and significant disk usage), which is expected but notable.
Install Mechanism: okThere is no installer in the registry spec; installation is via pip install -r requirements.txt and a separate FFmpeg install. Dependencies come from PyPI and standard package managers — no suspicious external URLs, archive downloads, or extract-on-disk steps are present in the manifest.
Credentials: okThe skill declares no environment variables or credentials and the code does not read secret env vars. It only reads/writes local filesystem paths (inbound, output, processed/failed). There are no requests for unrelated credentials.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable only. It does not modify other skills or system-wide agent settings. Its runtime behavior (processing local files, saving results) is consistent with its purpose.