Qwen ASR
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
A compromised upstream release, network path, or repository could affect the installed transcription binary.
Why it was flagged
The installer fetches the latest release dynamically and extracts a downloaded executable into the user's local bin directory without an artifact-pinned version or checksum verification.
Skill content
TAG=$(curl -fsSL "https://api.github.com/repos/${REPO}/releases" ...); ... tar -xzf "${TMPDIR}/${ARCHIVE}" -C "$INSTALL_DIR"Recommendation
Install only if you trust the upstream repository; consider manually verifying release provenance or checksums before running the installer.