NEXUS Voice Transcriber
PassAudited by ClawScan on May 5, 2026.
Overview
This appears to be a legitimate voice transcription skill, but it can save recordings locally and upload audio to Deepgram if that cloud provider is chosen.
Install only if you are comfortable with local archiving of transcripts/audio. For private recordings, use the local Whisper provider; if using Deepgram, explicitly confirm the upload, protect the API key, and check Deepgram retention settings. Because the supplied script content is truncated in the review artifacts, inspect the installed script directly if you need high assurance.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad or oversized media URL/file could waste time, disk, or processing resources.
The script can download a user-supplied URL and process media with ffmpeg. This is expected for a transcription tool, but untrusted or very large media can still affect local resources.
r = requests.get(url, stream=True, timeout=60) ... subprocess.run(cmd, check=True, capture_output=True)
Use trusted audio/video sources, keep ffmpeg updated, and avoid processing unknown large files without checking them first.
A Deepgram key may authorize usage or billing on the user's account.
The optional Deepgram mode uses an API key from the environment and sends it as an authorization token. This is expected for Deepgram integration and no hardcoded key or key logging is shown.
api_key = os.environ.get("DEEPGRAM_API_KEY") ... "Authorization": f"Token {api_key}"Use a dedicated, least-privilege Deepgram key, set it only when needed, and rotate it if exposed.
Installing unpinned packages can introduce dependency or provenance risk.
The setup guidance uses user-directed, unpinned Python package installs, including a GitHub fallback. This is common for Whisper setup but changes the user's Python environment.
pip install openai-whisper ... pip install git+https://github.com/openai/whisper.git
Install dependencies in a virtual environment and pin versions if using this in a sensitive or production environment.
Private recordings and transcripts may remain on the device after transcription.
The skill intentionally creates persistent local storage for transcripts, original audio, and a memory/history file. This is purpose-aligned archival but can retain sensitive voice content.
Memory lives in `~/voice-transcriber/` ... `transcripts/` ... `audio/` ... `memory.md # Provider preferences, defaults, history`
Review and delete saved audio/transcripts when no longer needed, restrict filesystem permissions, and avoid saving original audio if archival is not desired.
Voice notes, meetings, or other private audio may leave the user's machine for cloud transcription.
When the Deepgram provider is selected, the script uploads the audio file to Deepgram's API. SKILL.md discloses this endpoint and data flow, so it is expected but sensitive.
url = "https://api.deepgram.com/v1/listen" ... response = requests.post(url, params=params, headers=headers, data=f, timeout=300)
Choose local Whisper for sensitive or offline recordings; use Deepgram only after confirming the upload and reviewing the provider's retention/privacy settings.