ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Local speech to text Qwen3-ASR w/ OpenVINO (no API key)

v1.0.2

Local offline ASR on Windows — no cloud, no API cost, full privacy. Qwen3-ASR 0.6B + Intel OpenVINO, GPU-accelerated inference. NETWORK: required for first-t...

0· 110·0 current·0 all-time
by@juan-oy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name/description (local Qwen3-ASR + OpenVINO) align with the code and SKILL.md. The scripts create a venv, install Python packages, clone the Qwen3-ASR repo, and download the ModelScope model — all expected for an offline ASR skill. Scanning drives and writing under {USERNAME}_openvino\ asr and venv is consistent with the declared purpose.
Instruction Scope
SKILL.md limits actions to Windows/PowerShell and instructs running setup.py and download_model.py for one-time setup, then using acoustic_pipeline.py/transcribe.py for inference. The runtime instructions require reading/writing a state.json under {drive}:\{username}_openvino\asr and scanning drives to find that directory; these operations are within scope for locating/installing a large local model but do give the skill wide filesystem visibility on local drives.
Install Mechanism
There is no automatic registry install; installation is performed by the provided setup.py (creates venv, pip installs packages, clones GitHub) and download_model.py (uses modelscope.snapshot_download). This is a moderate-risk model: code downloads from GitHub and ModelScope (modelscope.cn) and installs packages into a venv. No opaque shorteners or personal servers are used, but those external network operations will run when you execute the setup/download scripts.
Credentials
The skill declares no required environment variables or credentials. It does read common environment values like USERNAME and standard proxy env vars (HTTP_PROXY/HTTPS_PROXY) and may query Windows WinHTTP proxy; this is justified for locating the install path and handling proxy-aware downloads. No cloud API keys or unrelated secrets are requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes state.json and asr_engine.py under the chosen {USERNAME}_openvino root and creates a shared venv there — this is expected for a persistent local model but means the skill will create files at drive-root paths (e.g., C:\{username}_openvino). The code also scans all drives to discover installations, which is broad but explained by the need to locate prior installs.
Assessment
This package appears to do what it says: set up a local venv, clone the Qwen3-ASR repo from GitHub, install Python packages, and download ~2 GB of model data from ModelScope; inference afterwards is local/offline. Before running: (1) confirm you have enough disk space and are OK with a new directory at the root of a drive (e.g., C:\<username>_openvino\), (2) review setup.py and download_model.py (they will run pip install and git clone and call modelscope.snapshot_download), (3) ensure you trust the upstream model/repo (QwenLM Qwen3-ASR and ModelScope links in the scripts), (4) run the setup and download steps in a terminal (they are not automatic) and inspect console output for any unexpected network endpoints. Because the source/owner are unknown, exercise caution and prefer running these scripts in a controlled environment (VM or throwaway machine) if you need stronger assurance.

Like a lobster shell, security has layers — review code before you run it.

latestvk9747cbasrfqycy3p3s2enj3eh84r6mz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments