Skillv1.0.1

ClawScan security

Local Vosk STT · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:40 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The instructions claim a local Vosk transcription skill, but the SKILL.md references local scripts and runtime dependencies that are not present or declared — the skill is internally inconsistent and needs clarification before use.
Guidance: Don't install or run this skill as-is. SKILL.md expects a local script at ./skills/local-vosk/scripts/transcribe, but the package contains no code files — ask the publisher for the missing scripts or a corrected package. If you plan to run the provided setup commands yourself: ensure ffmpeg is installed (the README mentions it but the skill doesn't declare it), verify the model download source and checksums, and avoid running pip with unexplained flags like --break-system-packages unless you know what they do. Prefer a packaged release (includes the transcribe script) or run Vosk in an isolated environment/container until the skill's files and provenance are confirmed.

Review Dimensions

Purpose & Capability: concernThe description (local offline STT) matches the instructions (use vosk, download models). However SKILL.md instructs running ./skills/local-vosk/scripts/transcribe which implies bundled scripts/code that are not present in the package. Also the doc expects ffmpeg for decoding audio but the skill declares no required binaries. These gaps are disproportionate to the stated purpose.
Instruction Scope: concernInstructions tell the agent/user to run a local script path and to pip-install vosk and download models. Because there are no code files, an agent following these instructions would fail or attempt to run non-existent scripts. The instructions reference system actions (pip install, wget, unzip, writing to ~/vosk-models) that are reasonable for setup but include the unusual pip flag --break-system-packages without explanation.
Install Mechanism: noteThere is no formal install spec (instruction-only), which is lower risk. The manual install commands point to a legitimate upstream site (alphacephei.com) for models and use pip/wget/unzip. Those sources are expected for Vosk models; no high-risk download URLs or shorteners are used. Still, because the skill lacks bundled code, it's unclear what the referenced scripts would do when present.
Credentials: okThe skill requests no environment variables or credentials, which is appropriate for an offline STT tool. No unrelated secrets are requested.
Persistence & Privilege: okThe skill does not request always:true and does not claim to modify other skills or system settings. It appears to be an on-demand instruction-only skill.