Skillv1.0.0

ClawScan security

MH openai-whisper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 25, 2026, 3:43 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's claims (local Whisper CLI transcription, no API key) match what it requires and instructs; nothing requested appears disproportionate, though there are two small notes to verify before installing.
Guidance: This skill appears coherent and limited in scope, but before installing: 1) confirm the Homebrew formula 'openai-whisper' comes from a trusted tap (to avoid running untrusted code via brew); 2) be aware that Whisper will download model files to ~/.cache/whisper (network usage and disk space); 3) verify the SKILL.md model name ('turbo') if you need a specific model — it may be a documentation typo. If those checks look good, the skill's requests are proportionate to its purpose.

Review Dimensions

Purpose & Capability: okName/description align with requirements: the skill only needs the 'whisper' binary and provides brew install metadata for it. No unrelated credentials, binaries, or config paths are requested. Minor note: SKILL.md states the default model is 'turbo', which is unexpected for Whisper model naming and may be a documentation inaccuracy to confirm.
Instruction Scope: noteRuntime instructions are narrowly scoped: example commands operate on a user-supplied audio file and mention models downloading to ~/.cache/whisper. This implies network access and disk writes to the user home directory (model cache) on first run — normal for local transcription but worth noting. Instructions do not ask for unrelated files, secrets, or external endpoints.
Install Mechanism: noteInstall uses a Homebrew formula (openai-whisper) which is a low-to-moderate risk install mechanism compared with arbitrary downloads. The SKILL metadata does not declare the tap or provenance of the formula; confirm the formula is from a trusted tap (Homebrew core or a reputable maintainer) before installing.
Credentials: okNo environment variables, credentials, or config paths are requested — proportional to a local CLI transcription tool.
Persistence & Privilege: okSkill does not request always-on or elevated privileges and is not modifying other skills or global agent settings. Its runtime effects are limited to installing/using the whisper binary and caching models under the user's home directory.