Whisper Local Api
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s local transcription goal is coherent, but it installs and runs unpinned external code and may expose an unauthenticated API beyond localhost despite strong offline/privacy claims.
Before installing, review or pin the external GitHub backend and dependencies, run the bootstrap/start steps manually, and ensure the service binds only to localhost or is protected by a firewall/authentication if reachable on a network.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may end up running backend code or dependencies that ClawHub did not review, and future upstream changes could alter behavior.
The install path downloads latest external code and dependencies that are not included in the reviewed artifacts, without pinning or integrity verification.
REPO_URL="${WHISPER_REPO_URL:-https://github.com/Hantok/local-whisper-backend.git}" ... git clone "$REPO_URL" "$WHISPER_DIR" ... pip install -r requirements.txtPin the repository to a specific commit or signed release, provide dependency lockfiles or hashes, and disclose the external backend source clearly before asking users to run bootstrap.
If the host firewall or network exposes the port, other clients could reach the transcription service or consume its resources without authentication.
0.0.0.0 is an all-interfaces bind address, not localhost-only, and the instructions describe no default authentication boundary for the audio transcription API.
The API securely binds locally to `0.0.0.0` ... No authentication tokens are passed over the network.
Bind to 127.0.0.1 by default, require explicit user approval for all-interface binding, and add authentication or firewall guidance for any network exposure.
Users may underestimate install-time network and supply-chain risk because the skill is framed as fully offline and deterministic.
The privacy/offline wording is stronger than the artifacts support because the bootstrap script contacts GitHub and package indexes to install unbundled external code.
**100% Offline & Private:** Your voice data, commands, and transcriptions never leave your host system. Zero cloud dependencies.
Clarify that the runtime endpoint is intended to be local, but installation downloads third-party code and dependencies unless the user vendors or pins them.
The service may keep running and using port 9000 or system resources after the setup command finishes.
The start script launches a background service process, which is expected for an API server but should be visible and easy to stop.
bash run_server.sh & SERVER_PID=$! echo "Whisper local API started with PID $SERVER_PID"
Provide a documented stop command, PID file, service manager instructions, or foreground mode so users can control the server lifecycle.