Skillv1.0.0

ClawScan security

Whisper STT · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 27, 2026, 3:31 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is internally coherent: it provides a local Whisper-based transcription script, requests no credentials or unrelated access, and contains no obvious exfiltration or surprising behaviour — but it will download large model weights and requires installing third‑party packages.
Guidance: This skill appears safe and does what it says: local transcription using the open-source Whisper library. Before installing, be aware it will require pip-installing third-party packages (torch and openai-whisper) and that the first run will typically download large model files (hundreds of MBs to multiple GBs) to your machine — check disk space and network usage. Install torch from the official source appropriate for your GPU/OS to avoid incompatibilities. If you have privacy concerns, note transcription runs locally (no credentials are requested), but downloaded model files are cached on disk; inspect or run in a sandbox if you want stricter isolation. Finally, some model names listed (e.g., large-v3-turbo) may not be available in every whisper distribution — test with smaller models first.

Purpose & Capability: okName/description (local Whisper STT) match the files and runtime instructions. The included scripts implement local transcription using the openai-whisper package; no unrelated credentials, binaries, or services are requested.
Instruction Scope: okSKILL.md and scripts only instruct installing Python packages (openai-whisper, torch), optionally ffmpeg, and running the local transcribe script. The scripts read the provided audio file and print formatted output; they do not access other system paths, environment variables, or remote endpoints directly from the skill code.
Install Mechanism: noteThere is no install spec (instruction-only plus two script files) which is low risk. Runtime use of whisper.load_model will, however, typically download model weights from upstream hosts (large files). That network activity and large disk/cache use is expected behavior for Whisper but worth noting.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The code does not read secrets or unrelated env vars. The dependency list (openai-whisper, torch, optional ffmpeg) is proportionate to local transcription.
Persistence & Privilege: okalways is false and the skill does not request persistent elevated privileges or modify other skills. It runs only when invoked and does not attempt to change global agent settings.