Back to skill
Skillv1.0.0
ClawScan security
Free Groq Voice Recognition · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 15, 2026, 11:27 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to implement Groq Whisper transcription, but its published metadata omits required credentials and binaries (GROQ_API_KEY, jq) and contains a few misleading/inconsistent statements — these mismatches warrant caution before installing.
- Guidance
- This skill's behavior (curl to api.groq.com with Authorization) matches its claimed purpose, but the package metadata is incomplete. Before installing: 1) Treat your GROQ_API_KEY as a secret — do not paste it into shared or public files; prefer storing it as an environment variable or in a secure vault rather than plaintext TOOLS.md. 2) Ensure your environment has curl, jq and bash available (transcribe.sh uses jq to extract .text). 3) Verify Groq's free-tier terms on https://console.groq.com/ to confirm the "100% free, no limits" claim. 4) If you need auditing or least privilege, ask the publisher to update the registry metadata to declare GROQ_API_KEY as a required credential and list required binaries (jq, curl). 5) If you are in a restricted network and must use a proxy, confirm the proxy address and understand that traffic (audio and API key in Authorization header) will be sent to api.groq.com. 6) If you want higher confidence, request the author to provide provenance (homepage or source repo) and a signed update to the metadata; without that, treat the skill as functional but inconsistently documented.
Review Dimensions
- Purpose & Capability
- concernThe skill's purpose (Groq Whisper transcription) is consistent with the included transcribe.sh and SKILL.md. However the registry metadata declares no required environment variables or binaries while the runtime files clearly require GROQ_API_KEY and the jq binary (and the README mentions a Bash shell). This mismatch between declared requirements and actual needs is an incoherence.
- Instruction Scope
- noteSKILL.md and transcribe.sh stay within transcription scope (calling Groq's /audio/transcriptions endpoint and processing audio files). The docs advise storing the API key in a local TOOLS.md and support batch processing of audio files; these are reasonable for the task but the instructions don't specify secure handling of the key and implicitly allow processing arbitrary files in a folder, which increases risk if misused.
- Install Mechanism
- okNo install spec is provided (instruction-only plus a small shell script), so nothing is downloaded or executed during install. That's low-risk. Note: the script depends on external tools (curl, jq, bash), but the metadata didn't declare those dependencies.
- Credentials
- concernFunctionality reasonably requires a single API credential (GROQ_API_KEY) and optionally a GROQ_PROXY setting — that is proportionate. The problem is the skill registry declares no required env vars or primary credential, which is misleading and prevents platform-level controls or warning about secret use.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills, and has no install-time persistence. It only expects the operator to provide an API key/config locally; no elevated platform privileges are requested.