Back to skill
Skillv1.0.0
ClawScan security
Whisper Transcribe · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:32 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions are internally consistent with a local Whisper transcription wrapper; it has no unexpected credential requests, no installer that fetches arbitrary code, and the script's behavior matches the description.
- Guidance
- This skill appears to do what it claims: wrap the local 'whisper' CLI to transcribe audio. Before installing/using it: (1) ensure you trust the 'openai-whisper' pip package source and install it in a virtualenv to limit install-time risks, (2) install ffmpeg separately (the script assumes it exists), (3) be aware models are downloaded at first run and may be large and require network access and disk space, and (4) avoid running the tool on sensitive audio in untrusted environments. If you want extra assurance, inspect the pip package source before installing or run the transcription inside a container/VM.
Review Dimensions
- Purpose & Capability
- okName/description (Whisper transcription) matches the included script and SKILL.md. Required tools (whisper CLI, ffmpeg) are appropriate for the stated functionality; no unrelated binaries or credentials are requested.
- Instruction Scope
- okSKILL.md and the script only instruct running the local wrapper against user-provided audio files and writing transcripts to the same or a specified output directory. The script does not read extraneous system files, environment variables, or attempt network exfiltration itself.
- Install Mechanism
- noteThis is an instruction-only skill (no install spec). The SKILL.md recommends installing the openai-whisper package via pip; that will download packages and the whisper runtime may download model files (~MBs to GBs) at first run. This network activity and package installation is expected for this purpose but is the primary point where external code/data is fetched—run in a virtualenv or isolated environment if you want to limit risk.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The script does not access secrets or unrelated system configurations.
- Persistence & Privilege
- okalways:false and no install-time persistence. The skill does not modify other skills or system-wide settings and requests no elevated privileges.