Back to skill
Skillv1.3.0
ClawScan security
ANY WHISPER API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 9:41 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it uses curl and two env vars (WHISPER_API_KEY, WHISPER_API_HOST) to POST audio to a Whisper-compatible API endpoint and the files/instructions match that purpose — no obvious mismatches or stealthy behavior were found.
- Guidance
- This script will upload whatever audio file you give it to the host in WHISPER_API_HOST using the token in WHISPER_API_KEY. Before using: (1) verify WHISPER_API_HOST is a trusted endpoint (a local whisper server or the official API) — a malicious host could capture your audio; (2) keep WHISPER_API_KEY secret; (3) note the transcript is written to disk at the output path (default: <input>.txt) so handle that file appropriately; (4) the SKILL.md config example references "openai-whisper-api" (likely copy/paste) — that’s a naming inconsistency but not a functional issue. If you plan to point to an unauthenticated local server, you can still set WHISPER_API_HOST but the script currently requires an API key even if the server doesn’t need one.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (curl), and required env vars (WHISPER_API_KEY, WHISPER_API_HOST) align with the stated purpose of sending audio to a Whisper-compatible API for transcription.
- Instruction Scope
- noteSKILL.md and scripts/transcribe.sh are narrowly scoped: they read a local audio file, require the API key/host, POST the file to /v1/audio/transcriptions, and write the transcript to disk. Note: the script will send the audio to whatever WHISPER_API_HOST is set to (defaulting to api.openai.com), so the host must be trusted.
- Install Mechanism
- okNo install spec (instruction-only plus a small shell script). Nothing is downloaded or written during install — lowest-risk install pattern.
- Credentials
- noteRequested environment variables are appropriate for this task. Minor quibble: requiring WHISPER_API_KEY for a local, unauthenticated Whisper server is unnecessary but not dangerous. Ensure the provided WHISPER_API_HOST and WHISPER_API_KEY are correct and trusted because sensitive audio will be transmitted to that endpoint.
- Persistence & Privilege
- okalways:false and no special persistence or cross-skill config modifications. The skill does not request elevated or persistent platform privileges.