ClawHub

Local speech to text Qwen3-ASR w/ OpenVINO (no API key)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local transcription skill, but it asks the agent to make broad Windows setup changes and trusts auto-discovered local runtime paths too much.

Review before installing. Use it only on Windows and only if you are comfortable with first-time setup that may install Python/Git, change PATH or shell integrations, install packages, clone code, download about 2 GB of model files, and keep transcripts on disk. Prefer running setup manually, avoid broad watch folders, and treat transcript archives as sensitive local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = [str(Path(sys.executable)), str(script_path)]
        # run in the ASR directory so generated files land in the right place
        result = subprocess.run(
            cmd, 
            capture_output=True, 
            text=True,
Confidence
94% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, encoding='utf-8', timeout=1800, cwd=str(self.asr_dir) #

subprocess module call

Medium
Category
Dangerous Code Execution
Content
'--audio', str(audio_file),
                    '--language', language
                ]
                result = subprocess.run(
                    cmd,
                    capture_output=True,
                    text=True,
Confidence
91% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, encoding='utf-8', time

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"  Venv created: {r.stdout.decode().strip()} [OK]")

def venv_run(args, **kw):
    return subprocess.run([str(venv_py)] + args, **kw)

# ── Upgrade pip ────────────────────────────────────────────
print("\n[2/4] Upgrading pip...")
Confidence
78% confidence
Finding
return subprocess.run([str(venv_py)] + args, **kw)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
venv_ok = False
if venv_py.exists():
    try:
        r = subprocess.run([str(venv_py), "--version"], capture_output=True, timeout=10)
        if r.returncode == 0:
            print(f"  Existing venv OK: {r.stdout.decode().strip()}")
            venv_ok = True
Confidence
76% confidence
Finding
r = subprocess.run([str(venv_py), "--version"], capture_output=True, timeout=10)

Tainted flow: 'venv_py' from os.environ.get (line 93, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
print("  Creating venv...")
    subprocess.run([sys.executable, "-m", "venv", str(venv_dir)], check=True)
    venv_py = venv_dir / "Scripts" / "python.exe"
    r = subprocess.run([str(venv_py), "--version"], capture_output=True)
    print(f"  Venv created: {r.stdout.decode().strip()} [OK]")

def venv_run(args, **kw):
Confidence
80% confidence
Finding
r = subprocess.run([str(venv_py), "--version"], capture_output=True)

Tainted flow: 'venv_py' from os.environ.get (line 93, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
print(f"  Venv created: {r.stdout.decode().strip()} [OK]")

def venv_run(args, **kw):
    return subprocess.run([str(venv_py)] + args, **kw)

# ── Upgrade pip ────────────────────────────────────────────
print("\n[2/4] Upgrading pip...")
Confidence
84% confidence
Finding
return subprocess.run([str(venv_py)] + args, **kw)

Tainted flow: 'venv_py' from os.environ.get (line 93, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
venv_ok = False
if venv_py.exists():
    try:
        r = subprocess.run([str(venv_py), "--version"], capture_output=True, timeout=10)
        if r.returncode == 0:
            print(f"  Existing venv OK: {r.stdout.decode().strip()}")
            venv_ok = True
Confidence
81% confidence
Finding
r = subprocess.run([str(venv_py), "--version"], capture_output=True, timeout=10)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill markets itself as local/offline ASR, but its setup flow includes downloading a 2 GB model and silently installing Python and Git from remote URLs. This mismatch can mislead users and agents about network use and system modification, increasing the chance of unreviewed software installation in environments that expect strictly offline behavior.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The function enumerates every drive letter and probes for a per-user application state file, which expands visibility beyond the minimum needed for an environment check. In a security-sensitive agent context, broad filesystem discovery can expose installation layout across mounted volumes and creates unnecessary coupling to user-specific paths, increasing privacy and reconnaissance risk if the script or its output is abused.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup script performs network package installation and clones a remote repository, then installs that repository in editable mode, all as part of normal execution. In the skill context, this materially increases supply-chain risk because running setup.py automatically fetches and executes third-party code from PyPI and GitHub, which can be compromised, substituted, or unexpectedly updated through transitive dependencies.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal