Back to skill
Skillv1.0.0
ClawScan security
Voice · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 11:56 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are consistent with its stated purpose (transcribe Telegram voice messages with faster-whisper and reply with TTS); nothing requested is disproportionate or unrelated to that goal.
- Guidance
- This skill appears coherent for Telegram voice transcription and TTS replies. Before installing or enabling it: confirm you trust the faster-whisper package and are comfortable allowing a pip install (it will pull third-party code and download model weights which can be large); ensure your agent/platform already has Telegram credentials and a TTS tool configured (the skill expects those but does not manage them); consider running installations in a controlled environment if you want to limit supply-chain risk or disk/network usage.
Review Dimensions
- Purpose & Capability
- okName/description (Telegram voice transcription + TTS replies) matches the instructions: they show using faster-whisper to transcribe .ogg files and using an existing TTS/send tool to reply. The skill does not request unrelated credentials or tools.
- Instruction Scope
- okSKILL.md stays on task: it shows a small faster-whisper snippet for transcribing a local file path and JSON actions for sending TTS replies to the Telegram channel. It does not instruct reading arbitrary files, other env vars, or exfiltrating data to unexpected endpoints.
- Install Mechanism
- noteThere is no install spec, but SKILL.md advises installing faster-whisper via pip. Pip installs and model downloads are normal for this purpose but involve executing third-party code and downloading model weights from upstream—this is a legitimate functional requirement but carries the usual supply-chain and resource risks (bandwidth, disk).
- Credentials
- okThe skill declares no required env vars or credentials. It implicitly relies on the agent/platform having Telegram and TTS capability already configured; it does not ask for unrelated secrets or broad access.
- Persistence & Privilege
- okalways is false and the skill does not request persistent or system-wide privileges. It does not ask to modify other skills or agent configs.