ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Whisper

v1.0.0

Local speech-to-text with the Whisper CLI (no API key). And also 50+ models for image generation, video generation, text-to-speech, speech-to-text, music, ch...

0· 205·1 current·1 all-time
by@modestyrichards
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill description and name claim 'Local speech-to-text with the Whisper CLI (no API key)', but the SKILL.md is entirely written around a remote service ('https://api.heybossai.com/v1') and requires SKILLBOSS_API_KEY. This is a direct mismatch: local Whisper would not need a remote aggregator API key. The SKILL.md also advertises 50+ remote models and routing, which is not consistent with a purely local-only tool.
!
Instruction Scope
The instructions direct the agent to make curl calls to heybossai.com endpoints using Authorization: Bearer $SKILLBOSS_API_KEY, download generated assets (curl -sL "$URL" -o <file>), and call many model endpoints. There are references to run.mjs examples in the model docs, but no local binaries or setup instructions are provided. The runtime instructions therefore send user data (e.g., base64 audio) to a third-party API — contradicting the 'local, no API key' claim and raising data-exfiltration / privacy concerns.
Install Mechanism
Instruction-only skill with no install spec or code files to execute. That lowers disk-write risk. However, because it instructs network calls to an external API, lack of an installer doesn't eliminate behavioral concerns.
!
Credentials
The skill requires a single environment variable SKILLBOSS_API_KEY (declared as primary), which matches the SKILL.md content. The proportionality concern is that the public description explicitly said 'no API key' while runtime requires a key — this is a misleading or inconsistent credential requirement. Requesting a single API key for an aggregator service would be reasonable for remote calls, but it is not justified by the skill's description as presented to users.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request elevated or persistent privileges, nor does it modify other skills or system settings. Autonomous invocation is allowed by default but is not by itself a red flag here.
What to consider before installing
Do not assume local processing: this skill's description says 'local, no API key' but its SKILL.md sends data to https://api.heybossai.com and requires SKILLBOSS_API_KEY. Before installing, verify the publisher and confirm whether you will actually be sending audio to a remote aggregator. If you need true local Whisper, get a skill that documents local binaries and does not require an external API key. If you proceed with this skill, treat SKILLBOSS_API_KEY like a secret (use a throwaway/test key first), review the aggregator's privacy/terms, and avoid sending sensitive audio or documents until you're comfortable with the remote service and logging/retention policies.

Like a lobster shell, security has layers — review code before you run it.

latestvk97efww42wee142h79yfk4cwjn82r9tn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments