ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Geode On-device Transcribe & Summary

v1.0.0

Transcribe and summarize audio/video files locally. Unlimited usage at a flat rate for heavy users.

1· 40·0 current·0 all-time
by@geodeteam
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims on-device transcription/summarization and the instructions exclusively call a local CLI bundled with a macOS app (/Applications/Geode.app/Contents/Helpers/GeodeCLI) and use an App Group container for input/output — which is coherent for a macOS-only, on-device tool. However, README/SKILL.md assert 'privacy-first' and 'all processing happens locally' while the documented error codes include SUMMARY_NOT_LOGGED_IN and SUMMARY_INSUFFICIENT_QUOTA, implying an account/quota or cloud-backed AI summary. Also the published metadata lacks a real homepage/source repository (skill.json contains a placeholder), which weakens provenance.
Instruction Scope
Runtime instructions are narrowly scoped: copy audio into the App Group inbox, run the bundled GeodeCLI to enqueue a single audio file, and poll the CLI for status and output file paths. The instructions do not ask the agent to read unrelated system files, environment variables, or send data to remote endpoints. They do rely on writing/reading files under ~/Library/Group Containers/... which is expected for an App Group integration.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only and expects the preinstalled Geode.app/GeodeCLI. This is low-risk from an install perspective, but it means trust is shifted to the external Geode.app binary (which the skill does not provide or verify).
Credentials
The skill requests no environment variables or credentials, which is appropriate. But the error codes referencing login/quota for summaries suggest that parts of the summary feature may require an account or networked service; that capability is not declared or explained in the metadata and contradicts the 'local-only' privacy claim.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide settings. It interacts only with a local App Group path and the bundled app/CLI, which is within expected privileges for a local helper integration.
What to consider before installing
This skill is an instruction-only integration that calls a local macOS helper app (Geode.app). Before installing or using it: 1) Verify the provenance of Geode.app — prefer installing it from a trusted source (the App Store link is present, but the skill has no verified homepage or source repo). 2) Confirm whether the summary feature runs fully on-device or requires logging into a cloud service (the error codes imply a login/quota); if you require strict local-only processing, validate this with the vendor or by testing offline. 3) Inspect the App Group container (~/Library/Group Containers/group.com.privycloudless.privyecho/) after a test run — transcripts/summaries will be written there and may contain sensitive data. 4) Test the CLI commands manually before allowing an agent to invoke them autonomously. 5) If provenance or cloud-dependence cannot be confirmed, treat the skill as potentially privacy-impacting and consider not installing it or limiting its use. Additional useful info to reduce uncertainty: a link to the official Geode source or vendor, documentation clarifying local vs cloud summary behavior, and a signed binary distributed from a trusted developer account.

Like a lobster shell, security has layers — review code before you run it.

latestvk9711fhr86sb27vp7xkq1x9shs84d3vp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments