openclaw-whisper-voice
v1.0.0Local Whisper speech-to-text for audio files and inbound voice notes on the OpenClaw Gateway host. Use when setting up local transcription for WhatsApp, Tele...
⭐ 0· 112·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill claims to provide local Whisper transcription and includes installer and transcription wrapper scripts that install Python packages into ~/.local, create a ~/.local/bin/whisper launcher, and run the whisper CLI. Required binaries (whisper, ffmpeg) and the suggested configuration for tools.media.audio align with the stated use for WhatsApp/Telegram voice notes.
Instruction Scope
SKILL.md directs the operator to run the provided install script and to use the transcribe wrapper for files or inbound voice notes. The scripts only operate on specified audio files, create temporary directories for stdout-only mode, discover ffmpeg via imageio-ffmpeg, and run whisper; they do not read unrelated system files, transmit data to external endpoints, or access secrets.
Install Mechanism
Installation is manual (scripts/install_local_whisper.sh). The script uses curl to download get-pip.py from the official bootstrap.pypa.io and pip-installs many packages (including torch from the official PyTorch CPU wheel index). These sources are standard and expected, but pip-installing many packages to a user account is a significant change (disk/network) and increases the attack surface if package sources were compromised. The install writes only to the user's ~/.local and ~/.cache, not system-wide locations.
Credentials
No credentials or secret environment variables are requested. The scripts accept an optional PYTHON_BIN override (not declared as required), which is reasonable for portability. The installer and wrapper use $HOME and ~/.local as expected for a per-user install.
Persistence & Privilege
The skill does not request always:true, does not autonomously persist beyond user-run install steps, and only modifies user-local directories (~/.local, ~/.cache). It does not alter other skills' configs automatically; it suggests how to patch OpenClaw config but leaves that action to the operator.
Assessment
This skill appears coherent and implements local Whisper transcription as described, but review and consider the following before installing:
- The installer will pip-install a large set of Python packages into your home (~/.local) and will download model weights into ~/.cache/whisper on first run. Expect significant network, disk, and CPU usage.
- The install script fetches get-pip.py and uses pip from public indexes (PyPI and PyTorch wheel index). If you require stricter controls, run the install in a virtualenv, container, or on a throwaway host; or mirror/verify packages internally.
- The scripts create ~/.local/bin/whisper and a symlinked ffmpeg shim. If you already have system binaries with the same names, be aware of PATH ordering or adjust PYTHON_BIN/MY_BIN as needed.
- There are no secret/credential requirements and the scripts do not exfiltrate data. Still, inspect the scripts yourself (they are short and included) and run them as a discretionary user (not root).
- If you have limited resources or want to avoid installing heavy deps (e.g., triton/torch), consider using a smaller model, a dedicated VM, or a cloud transcription service instead.
If you want additional confidence, provide checksums for the scripts or request a signed release from the skill author before running the installer on production hosts.Like a lobster shell, security has layers — review code before you run it.
latestvk977pbfe5vzvkvmvpb0kn59zv9839k6f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎙️ Clawdis
Binswhisper, ffmpeg