v1.0.0

Mlx Whisper

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:52 AM.

Analysis

This skill coherently runs local MLX Whisper transcription on user-chosen media, with disclosed external package/model downloads and no evidence of credentials, hidden background activity, or data exfiltration.

GuidanceThis appears safe for its stated purpose if you trust the upstream mlx-whisper package and model sources. Expect large model downloads and local cache use, and provide only audio/video files you intend to transcribe.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

metadata: {"clawdbot":{"emoji":"🍎","requires":{"bins":["mlx_whisper"]},"install":[{"id":"pip","kind":"pip","package":"mlx-whisper","bins":["mlx_whisper"],"label":"Install mlx-whisper (pip)"}]}}; "## Models (download on first use)"; "Models cache to `~/.cache/huggingface/`"

The skill depends on an external pip package and downloaded model files that persist in a local cache. This is disclosed and directly supports local transcription, but users should trust the upstream package and model sources.

User impactInstalling or first using the skill may download Python package components and large model files from external sources and store them locally.

RecommendationUse this skill only if you trust the mlx-whisper package and the listed model repositories; consider pinning/reviewing versions and checking available disk space.