LLMWhisperer
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: llmwhisperer Version: 0.0.7 The skill is benign. It reads a specific API key (`LLMWHISPERER_API_KEY`) from `~/.clawdbot/.env` (a standard practice for OpenClaw skills) and uses it to authenticate a `curl` request. The `curl` command sends the user-provided file to the legitimate LLMWhisperer API endpoint (`https://llmwhisperer-api.us-central.unstract.com`) for text extraction, aligning perfectly with the skill's stated purpose. There is no evidence of data exfiltration beyond the necessary API key and input file, malicious execution, persistence mechanisms, or prompt injection attempts in SKILL.md.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Images and PDFs processed with this skill leave the local environment and are sent to the third-party API provider.
The selected local file is sent to an external LLMWhisperer/Unstract API. This is necessary for the stated extraction purpose, but the file may contain sensitive document data.
curl -s -X POST "https://llmwhisperer-api.us-central.unstract.com/api/v2/whisper?mode=high_quality&output_mode=layout_preserving" ... --data-binary "@$FILE"
Use it only for documents you are allowed to send to LLMWhisperer, and review the provider's privacy and retention terms for sensitive files.
A LLMWhisperer API key must be stored locally and will be used to authenticate requests to the provider.
The skill needs a provider API credential and reads it from a local env file. This is expected for the API integration, but the registry metadata lists no required env vars or primary credential.
Requires `LLMWHISPERER_API_KEY` in `~/.clawdbot/.env` ... -H "unstract-key: $LLMWHISPERER_API_KEY"
Store only the intended LLMWhisperer key, keep `~/.clawdbot/.env` private, and rotate the key if it is accidentally shared.
The package may not include the executable exactly where the instructions say it is, so setup or invocation could be confusing.
The supplied manifest contains only SKILL.md, so the referenced executable is not present as a separate reviewed file. The intended script body is embedded in SKILL.md, making this a coherence/provenance note rather than a hidden-code concern.
metadata: {"clawdbot":{"emoji":"📄","scripts":["scripts/llmwhisperer"]}} ... The executable script is located at `scripts/llmwhisperer`.If creating the script manually, use the visible script content from SKILL.md and verify the command path before relying on it.