NEXUS Voice Transcriber
PassAudited by VirusTotal on May 5, 2026.
Overview
Type: OpenClaw Skill Name: nexus-voice-transcriber Version: 1.0.0 The 'nexus-voice-transcriber' skill is a legitimate tool for audio and video transcription using local Whisper models or the Deepgram API. The Python script (scripts/transcribe.py) implements standard functionality for downloading remote files, extracting audio via ffmpeg, and managing transcripts. It follows security best practices by using argument lists in subprocess calls to prevent shell injection and retrieving API keys from environment variables rather than hardcoding them. No evidence of data exfiltration, malicious prompt injection, or unauthorized persistence was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad or oversized media URL/file could waste time, disk, or processing resources.
The script can download a user-supplied URL and process media with ffmpeg. This is expected for a transcription tool, but untrusted or very large media can still affect local resources.
r = requests.get(url, stream=True, timeout=60) ... subprocess.run(cmd, check=True, capture_output=True)
Use trusted audio/video sources, keep ffmpeg updated, and avoid processing unknown large files without checking them first.
A Deepgram key may authorize usage or billing on the user's account.
The optional Deepgram mode uses an API key from the environment and sends it as an authorization token. This is expected for Deepgram integration and no hardcoded key or key logging is shown.
api_key = os.environ.get("DEEPGRAM_API_KEY") ... "Authorization": f"Token {api_key}"Use a dedicated, least-privilege Deepgram key, set it only when needed, and rotate it if exposed.
Installing unpinned packages can introduce dependency or provenance risk.
The setup guidance uses user-directed, unpinned Python package installs, including a GitHub fallback. This is common for Whisper setup but changes the user's Python environment.
pip install openai-whisper ... pip install git+https://github.com/openai/whisper.git
Install dependencies in a virtual environment and pin versions if using this in a sensitive or production environment.
Private recordings and transcripts may remain on the device after transcription.
The skill intentionally creates persistent local storage for transcripts, original audio, and a memory/history file. This is purpose-aligned archival but can retain sensitive voice content.
Memory lives in `~/voice-transcriber/` ... `transcripts/` ... `audio/` ... `memory.md # Provider preferences, defaults, history`
Review and delete saved audio/transcripts when no longer needed, restrict filesystem permissions, and avoid saving original audio if archival is not desired.
Voice notes, meetings, or other private audio may leave the user's machine for cloud transcription.
When the Deepgram provider is selected, the script uploads the audio file to Deepgram's API. SKILL.md discloses this endpoint and data flow, so it is expected but sensitive.
url = "https://api.deepgram.com/v1/listen" ... response = requests.post(url, params=params, headers=headers, data=f, timeout=300)
Choose local Whisper for sensitive or offline recordings; use Deepgram only after confirming the upload and reviewing the provider's retention/privacy settings.