Skillv1.0.0

ClawScan security

Voice2text · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 1, 2026, 7:02 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements match its stated purpose (offline Vosk-based speech-to-text); it asks for no credentials and contains no obvious exfiltration or unrelated actions.
Guidance: This skill appears internally consistent, but it runs publisher-provided Python code locally — review and run it in an isolated environment. Before using: 1) ensure you have a compatible 16kHz mono 16‑bit WAV and a trusted Vosk model placed in a 'model' directory (the package does not include the model); 2) install dependencies from requirements.txt in a virtualenv; 3) inspect main.py yourself (it is short and straightforward) and avoid running untrusted models; 4) if you need stronger isolation, run inside a container or VM. The tests are placeholders and do not create sample audio, so functional testing requires providing a real WAV and a Vosk model.

Purpose & Capability: okName/description (offline Vosk STT) align with included files: main.py uses vosk.Model and expects a local 'model' directory; requirements list vosk and pytest. No unrelated credentials, binaries, or services are requested.
Instruction Scope: okSKILL.md and README instruct running main.py with an audio path and installing Python deps. The runtime only reads the provided WAV file, loads the local Vosk model, and performs transcription — no access to other files, env vars, or network calls is present in the code.
Install Mechanism: okThere is no automated install spec; this is instruction-only with code included. Dependencies are standard Python packages (vosk, pytest). No downloads from untrusted URLs or archive extraction are performed by the skill.
Credentials: okThe skill declares no required env vars, credentials, or config paths. The code does not attempt to read environment secrets or external configs.
Persistence & Privilege: okSkill is user-invocable and not set to always; it does not modify other skills or system settings and does not request persistent privileges.