NEXUS Voice Transcriber
AdvisoryAudited by Static analysis on May 5, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad or oversized media URL/file could waste time, disk, or processing resources.
The script can download a user-supplied URL and process media with ffmpeg. This is expected for a transcription tool, but untrusted or very large media can still affect local resources.
r = requests.get(url, stream=True, timeout=60) ... subprocess.run(cmd, check=True, capture_output=True)
Use trusted audio/video sources, keep ffmpeg updated, and avoid processing unknown large files without checking them first.
A Deepgram key may authorize usage or billing on the user's account.
The optional Deepgram mode uses an API key from the environment and sends it as an authorization token. This is expected for Deepgram integration and no hardcoded key or key logging is shown.
api_key = os.environ.get("DEEPGRAM_API_KEY") ... "Authorization": f"Token {api_key}"Use a dedicated, least-privilege Deepgram key, set it only when needed, and rotate it if exposed.
Installing unpinned packages can introduce dependency or provenance risk.
The setup guidance uses user-directed, unpinned Python package installs, including a GitHub fallback. This is common for Whisper setup but changes the user's Python environment.
pip install openai-whisper ... pip install git+https://github.com/openai/whisper.git
Install dependencies in a virtual environment and pin versions if using this in a sensitive or production environment.
Private recordings and transcripts may remain on the device after transcription.
The skill intentionally creates persistent local storage for transcripts, original audio, and a memory/history file. This is purpose-aligned archival but can retain sensitive voice content.
Memory lives in `~/voice-transcriber/` ... `transcripts/` ... `audio/` ... `memory.md # Provider preferences, defaults, history`
Review and delete saved audio/transcripts when no longer needed, restrict filesystem permissions, and avoid saving original audio if archival is not desired.
Voice notes, meetings, or other private audio may leave the user's machine for cloud transcription.
When the Deepgram provider is selected, the script uploads the audio file to Deepgram's API. SKILL.md discloses this endpoint and data flow, so it is expected but sensitive.
url = "https://api.deepgram.com/v1/listen" ... response = requests.post(url, params=params, headers=headers, data=f, timeout=300)
Choose local Whisper for sensitive or offline recordings; use Deepgram only after confirming the upload and reviewing the provider's retention/privacy settings.