Qwen ASR
PassAudited by ClawScan on May 10, 2026.
Overview
This skill coherently provides local speech-to-text, with the main caveat that its installer downloads an unpinned prebuilt executable and model from external sources.
This appears safe for its stated local transcription purpose. Before installing, be aware that it downloads an external prebuilt binary and a large model, stores them locally, and uses ffmpeg/qwen-asr to process audio files you provide.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised upstream release, network path, or repository could affect the installed transcription binary.
The installer fetches the latest release dynamically and extracts a downloaded executable into the user's local bin directory without an artifact-pinned version or checksum verification.
TAG=$(curl -fsSL "https://api.github.com/repos/${REPO}/releases" ...); ... tar -xzf "${TMPDIR}/${ARCHIVE}" -C "$INSTALL_DIR"Install only if you trust the upstream repository; consider manually verifying release provenance or checksums before running the installer.