Back to skill
Skillv1.0.0
ClawScan security
MH openai-whisper-api · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 3:43 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is internally consistent: it simply uploads a local audio file to OpenAI's /v1/audio/transcriptions endpoint using curl and an OPENAI_API_KEY.
- Guidance
- This skill simply uploads a local audio file to OpenAI's transcription endpoint using curl and your OPENAI_API_KEY. Before installing, consider: (1) Privacy — your audio is sent to OpenAI; don't upload sensitive audio unless you're comfortable with OpenAI's handling and retention policies. (2) Keep your OPENAI_API_KEY secret and revoke it if compromised. (3) The SKILL.md mentions storing a key in ~/.openclaw/openclaw.json for convenience, but the script only reads the OPENAI_API_KEY environment variable — ensure you understand how your platform provides keys. (4) Verify network access to api.openai.com and that curl is the expected binary on your system. The included shell script is short, readable, and not obfuscated; no other endpoints or hidden behaviors were found.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (curl), required env var (OPENAI_API_KEY), and provided script all align with a Whisper transcription client that calls OpenAI's audio/transcriptions API.
- Instruction Scope
- noteSKILL.md and the script only instruct uploading a provided audio file to api.openai.com and writing the response to a local file. The README suggests an alternate place to store the API key (~/.openclaw/openclaw.json) for user convenience, but the script itself only reads OPENAI_API_KEY from the environment. There are no instructions to read arbitrary system files or send data to other endpoints.
- Install Mechanism
- okInstruction-only skill with no install spec and a small helper script; no downloads or extraction steps. This is low-risk from an install perspective.
- Credentials
- okOnly OPENAI_API_KEY is required, which is appropriate for calling OpenAI's API. No other credentials, system config paths, or unrelated environment variables are requested. The key is used directly in an Authorization header to call OpenAI — expected behavior.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or persistent system privileges. It does not modify other skills or system configuration.