ClawHub

MLX Audio Server

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: it installs and runs a local MLX audio API server, but users should notice that it uses an external Homebrew tap and starts a persistent background service.

Before installing, make sure you trust the external Homebrew tap and want a background audio API server running on your Mac. Keep it local or firewall-protected if you do not want other devices to use it.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing the skill may run software supplied by the external Homebrew tap maintainer.

Why it was flagged

The installer fetches and installs the main server package from an external Homebrew tap, which is expected for this skill but means trust extends beyond the reviewed files.

Skill content
brew update
...
brew install guoqiao/tap/mlx-audio-server || true
Recommendation

Review the Homebrew formula and tap source before installing, especially because this server will run persistently.

#
ASI10: Rogue Agents
Low
What this means

The audio API server can keep running after setup and may continue consuming local resources until stopped.

Why it was flagged

The installer starts or restarts a Homebrew service, creating an ongoing background server process. This matches the stated 24x7 server purpose.

Skill content
brew services restart mlx-audio-server || true
Recommendation

Install only if you want a persistent local audio server, and use Homebrew services to stop or disable it when no longer needed.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

If the server is reachable on a network, other clients may be able to use the STT/TTS service without authentication.

Why it was flagged

The documentation shows use of the API endpoint without an API key and by IP address, so users should be aware of possible unauthenticated access if the service is exposed beyond localhost.

Skill content
URL: http://<IP>:8899
Model: mlx-community/glm-asr-nano-2512-8bit
API KEY: <blank>
Recommendation

Keep the service bound to localhost or protected by firewall/network controls unless you intentionally want other devices to access it.