Skillv1.0.1

ClawScan security

Gettr Transcribe · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 22, 2026, 9:24 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements, scripts, and instructions align with its stated purpose (download GETTR media and run a local MLX Whisper transcription); nothing requests unrelated credentials or installs arbitrary remote code.
Guidance: This skill appears to do what it says: extract a media URL from a GETTR page (you provide or the agent collects via browser automation), download audio with ffmpeg, and transcribe locally with mlx_whisper. Before installing, note: (1) it requires ffmpeg and mlx_whisper on PATH (brew/pip installs are suggested); (2) MLX Whisper may download large models from Hugging Face and could prompt for huggingface-cli login for some models — no credentials are required by default; (3) the agent does not handle private/gated GETTR posts (you must supply a direct media URL for those); (4) transcription is local but downloading media from GETTR means the skill will fetch remote content you point it at; and (5) CPU/ram/disk usage can be significant for large models. If you’re comfortable with those tradeoffs, the skill is internally coherent.

Review Dimensions

Purpose & Capability: okName/description (GETTR → local transcription) matches the files and runtime instructions: scripts only download media via ffmpeg and call mlx_whisper to transcribe. Required binaries (ffmpeg, mlx_whisper) are expected for this task and the install metadata lists only pip/brew installs relevant to transcription.
Instruction Scope: okSKILL.md instructs obtaining the media URL via browser automation or manual DOM inspection, then running the provided scripts. The instructions do not request unrelated files, system credentials, or broad data collection; they only reference the GETTR URL, derived slug, and local output directory. The skill explicitly excludes gated/authenticated posts.
Install Mechanism: okThe only install steps are standard package installs: 'brew install ffmpeg' and 'pip install mlx-whisper' (both declared in metadata). There are no downloads from arbitrary/personal URLs or extracted archives in the install spec.
Credentials: okNo environment variables, credentials, or config paths are required. The only potential external access is to GETTR media URLs (user-supplied) and MLX Whisper may download models from Hugging Face if needed — the README/instructions note possible Hugging Face auth but do not demand credentials.
Persistence & Privilege: okThe skill does not request permanent presence (always=false), does not modify other skills or system-wide agent settings, and only writes output to a local subdirectory under ./out/gettr-transcribe/<slug> as expected.