Skillv1.0.0

ClawScan security

musa-torch-coding · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 9:59 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill's public description claims OpenAI Whisper transcription and requests an OPENAI_API_KEY, but the SKILL.md and included files are about MUSA/torch GPU code conversion and YOLO templates — the metadata and declared requirements do not match the actual content.
Guidance: This skill's metadata and description (OpenAI Whisper transcription, OPENAI_API_KEY required) do not match the actual content (MUSA/torch guidance, CUDA->MUSA converter, YOLO template). Before installing or supplying secrets: 1) Do not provide your OPENAI_API_KEY — the code does not use it. 2) Confirm with the publisher what the skill is supposed to do; the mismatch may be a packaging error or mislabeling. 3) Inspect the included scripts locally (scripts/cuda_to_musa.py, assets/yolo8n_template.py, references/reference.md) — they appear to be benign conversion and template code with no network/exfiltration, but they do advise running build/install commands and privileged operations. 4) Do not run sudo commands (e.g., sudo usermod ...) or build/install steps until you trust the source and understand the effect on your system. 5) If you wanted an audio transcription skill, look for a different skill whose files, instructions, and required env vars actually reference the OpenAI transcription API.

Review Dimensions

Purpose & Capability: concernName/description claim: 'Transcribe audio via OpenAI Audio Transcriptions API (Whisper)'. Actual files and SKILL.md: MUSA (Moore Threads) torch guidance, CUDA-to-MUSA converter, YOLO template, and extensive environment/build instructions. The declared primary credential (OPENAI_API_KEY) and required binary (curl) are unrelated to the skill's true content.
Instruction Scope: concernThe SKILL.md instructs system-level checks and operations appropriate for GPU setup (checking musaInfo, /usr/local/musa, modifying conda envs, build scripts). It also suggests privileged actions (e.g., 'sudo usermod -aG render $(whoami)', editing LD_LIBRARY_PATH, running build.sh). These instructions are coherent with MUSA GPU setup but entirely outside the advertised transcription purpose, and they can require elevated privileges on the host.
Install Mechanism: okNo install spec is provided (instruction-only), so nothing is automatically downloaded or executed during install. The skill includes code files (converter and templates) that will be present on disk, but there are no external URLs, archive extracts, or package installs declared.
Credentials: concernrequires.env declares OPENAI_API_KEY as required and primaryEnv, but neither SKILL.md nor the included Python files reference OpenAI APIs or use that key. The SKILL.md also lists MUSA-specific environment variables (MUSA_VISIBLE_DEVICES, etc.) in prose but does not declare them as required. The declared required binary 'curl' is not used anywhere in the repository. Requesting an unrelated secret (OPENAI_API_KEY) is disproportionate and suspicious.
Persistence & Privilege: noteThe skill does not set always:true and does not claim to modify other skills or system-wide agent settings. However, the runtime instructions encourage privileged system changes (adding user to 'render' group, running build/install scripts) which could have security implications if executed without review. The skill itself does not request persistent elevated agent privileges.