Mlx Whisper

PassAudited by ClawScan on May 1, 2026.

Overview

This skill coherently runs local MLX Whisper transcription on user-chosen media, with disclosed external package/model downloads and no evidence of credentials, hidden background activity, or data exfiltration.

This appears safe for its stated purpose if you trust the upstream mlx-whisper package and model sources. Expect large model downloads and local cache use, and provide only audio/video files you intend to transcribe.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing or first using the skill may download Python package components and large model files from external sources and store them locally.

Why it was flagged

The skill depends on an external pip package and downloaded model files that persist in a local cache. This is disclosed and directly supports local transcription, but users should trust the upstream package and model sources.

Skill content

metadata: {"clawdbot":{"emoji":"🍎","requires":{"bins":["mlx_whisper"]},"install":[{"id":"pip","kind":"pip","package":"mlx-whisper","bins":["mlx_whisper"],"label":"Install mlx-whisper (pip)"}]}}; "## Models (download on first use)"; "Models cache to `~/.cache/huggingface/`"

Recommendation

Use this skill only if you trust the mlx-whisper package and the listed model repositories; consider pinning/reviewing versions and checking available disk space.