Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Jetson CUDA Voice Pipeline
v1.1.0Fully offline, CUDA-accelerated local voice assistant pipeline for NVIDIA Jetson. Wake word (openWakeWord) → real-time VAD → whisper.cpp GPU STT → LLM → Pipe...
⭐ 0· 497·0 current·0 all-time
byManolis Nikiforakis@nikil511
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (Jetson CUDA voice pipeline) match the code and SKILL.md. Required binaries (arecord, aplay, python3) and dependencies (openwakeword, piper-tts, whisper.cpp) are appropriate for the stated functionality. Required env var OPENROUTER_API_KEY is used by the code to call an LLM and is consistent with the stated 'only the LLM uses the internet' claim.
Instruction Scope
Runtime instructions and scripts stick to the stated pipeline. The code captures microphone audio, runs local STT/TTS, and sends transcriptions to the LLM_URL (defaults to openrouter.ai). This is within scope, but it does mean user speech (transcriptions) are transmitted off-device to the configured LLM provider — the SKILL.md does disclose this, but users should be aware of the data flow and privacy implications.
Install Mechanism
No opaque download/install spec in skill registry; build and download steps are explicit in SKILL.md/BUILD.md (git clone github.com/ggerganov/whisper.cpp, wget from huggingface, pip installs). These are standard sources for this workload; no shorteners or personal servers are used. Building whisper.cpp on-device is heavy but expected.
Credentials
Only one required env var (OPENROUTER_API_KEY) is requested and it is justified by the LLM call. However, setup.sh embeds the API key directly into the user systemd unit file (Environment=...), which persists the secret in plain text in ~/.config/systemd/user — a practical security concern to consider (see guidance).
Persistence & Privilege
setup.sh installs and enables user-level systemd services (whisper-server and voice-pipeline) so the pipeline persists for the user session; always:false so it is not force-included. The optional udev rule in instructions requires root to write /etc/udev/rules.d (expected for USB device handling). The service persistence combined with storing the API key in the unit increases the impact of a compromised account or machine.
Assessment
This skill appears to do what it says (local STT/TTS with a networked LLM). Before installing, consider: (1) Your speech is transcribed locally but the resulting text is sent to whatever LLM endpoint you configure (default openrouter.ai). Only install if you trust that provider or change VOICE_LLM_URL to a local/self-hosted endpoint. (2) setup.sh writes Environment="OPENROUTER_API_KEY=..." into a user systemd unit file (~/.config/systemd/user) — that stores your API key in plain text; consider using a systemd EnvironmentFile with restricted permissions or another secret mechanism instead of embedding the key. (3) The optional udev fix requires sudo (writes /etc/udev/rules.d). (4) Building whisper.cpp on a Jetson is time- and resource-intensive; follow BUILD.md and ensure you have adequate swap/free memory. (5) Inspect the scripts yourself (they're included) before running them. If you want stronger privacy, run a local/air-gapped LLM-compatible server and set VOICE_LLM_URL accordingly or avoid providing an API key.Like a lobster shell, security has layers — review code before you run it.
latestvk974smg03k06ksn8t6tb9ddmd981rmf2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎙️ Clawdis
OSLinux
Binsarecord, aplay, python3
EnvOPENROUTER_API_KEY