transcription
Security checks across malware telemetry and agentic risk
Overview
This skill appears to do what it says—transcribe user-provided media—but users should verify the hardcoded local Whisper endpoint before sending private recordings.
Before installing, confirm that 192.168.0.11:8080 is your intended Whisper transcription service. Treat audio and video files as potentially sensitive, and only submit recordings you are comfortable sending to that endpoint.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private recordings may be sent to a local-network service at 192.168.0.11 for transcription.
The script uploads the provided audio or extracted video audio to a hardcoded private-network HTTP endpoint. This is expected for API-based transcription, but the endpoint operator and network boundary should be verified.
WHISPER_ENDPOINT = "http://192.168.0.11:8080/v1/audio" ... requests.post(f"{WHISPER_ENDPOINT}/transcriptions", files=files, data=data)Only use this skill if that IP address is your intended Whisper service, and avoid sending sensitive recordings unless you trust that endpoint.
Video transcription may run ffmpeg locally and create/delete an extracted audio file next to the source video.
For video files, the script invokes ffmpeg to extract audio. This is purpose-aligned and uses an argument list rather than a shell string, but it still depends on a local binary and writes a temporary sidecar WAV file.
cmd = ["ffmpeg", "-y", "-i", video_file, "-vn", "-acodec", "pcm_s16le", "-ar", "16000", "-ac", "1", audio_file] subprocess.run(cmd, check=True, capture_output=True)
Ensure ffmpeg is installed from a trusted source and avoid using paths where an existing '<video filename>.wav' sidecar file should be preserved.