Skillv1.0.0

ClawScan security

MJ Windows Faster Whisper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 24, 2026, 4:16 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, required tools, and actions match its stated purpose (local transcription with faster-whisper); nothing requested is disproportionate or unrelated.
Guidance: This skill appears to be what it says: a helper for running faster-whisper locally. Before installing or following the steps, consider that: (1) pip-installing packages and downloading models will fetch third-party code and files from the network — use a virtual environment and review packages if you are cautious; (2) model files can be large and require disk space; (3) if you need a private model you may need a Hugging Face token (the skill does not request any secrets by default); (4) the SKILL.md gives a Windows-style example path — adapt it to your OS and avoid hardcoding usernames; and (5) ensure you have permission to transcribe any audio you process. If those points are acceptable, the skill's instructions are proportionate to its purpose.

Review Dimensions

Purpose & Capability: okThe skill is described as a local faster-whisper (CTranslate2) transcription helper and its instructions request exactly the things needed for that: python/ffmpeg availability, installing faster-whisper/ctranslate2/huggingface_hub, and downloading a CTranslate2-style model folder from Hugging Face.
Instruction Scope: noteInstructions are scoped to setting up and using a local model (convert OGG/Opus to WAV, load a local model folder, transcribe). They explicitly reference GitHub and Hugging Face for downloads — this requires network access and may require authentication for private models. The example local path uses a specific Windows username (C:\Users\joshu...), which is just an example but could confuse non-Windows users; otherwise the runtime instructions do not ask to read unrelated files or secrets.
Install Mechanism: noteThis is an instruction-only skill (no install spec). It tells the user/agent to pip-install packages (faster-whisper, ctranslate2, huggingface_hub) and to download a model from Hugging Face. Installing packages from PyPI and downloading models are expected for this use case but do involve running third-party code and transferring model files from the network — normal for local ML tooling but worth noting.
Credentials: okThe skill declares no required environment variables or credentials and its instructions do not demand unrelated secrets. The only possible credential scenario is an optional Hugging Face token if the chosen model is private or rate-limited, which is consistent with the stated workflow.
Persistence & Privilege: okThe skill does not request always:true, does not modify system-wide configs in its instructions, and is instruction-only (no code writing or autonomous persistence). Its requested level of presence is proportionate.