ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MLX Audio Server

v0.2.2

Local 24x7 OpenAI-compatible API server for STT/TTS, powered by MLX on your Mac.

0· 2.5k·8 current·8 all-time
by@guoqiao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the provided scripts and README: the skill installs a Homebrew formula for an MLX audio server, exposes OpenAI-compatible endpoints on localhost, and includes helper scripts for STT/TTS. Required binary (brew) and ffmpeg/jq usage are appropriate for the stated purpose.
Instruction Scope
SKILL.md and the scripts limit actions to installing the Homebrew formula, starting/restarting a brew service, converting audio with ffmpeg, and POSTing to localhost:8899. They do not read unrelated system files or exfiltrate data to remote endpoints beyond standard Homebrew/GitHub network operations.
!
Install Mechanism
There is no formal install spec; the provided install.sh runs 'brew install guoqiao/tap/mlx-audio-server' and 'brew services restart'. This pulls code from a third-party Homebrew tap (guoqiao). Installing a third-party tap via brew is a moderate risk because it executes/installs upstream code not bundled with the skill and the tap/source should be reviewed before trust. No direct download URLs are embedded in the skill, but the tap may fetch arbitrary code.
Credentials
The skill requests no secrets or credentials. It optionally reads MLX_AUDIO_SERVER_PORT for the local port. There are no requested env vars that don't match the task.
!
Persistence & Privilege
The skill is marked always: true, which force-includes it in every agent run. Combined with the install script that registers a LaunchAgent (brew services) and restarts a service, this grants the skill ongoing system presence without clear justification. While running a local service fits the skill's purpose, always: true is broader than necessary and increases blast radius if the tapped formula or service behaved unexpectedly.
What to consider before installing
This skill appears to do what it says (install a local MLX audio server and provide STT/TTS helpers), but take these precautions before installing: - Review the Homebrew tap/formula (guoqiao/tap) referenced by install.sh on GitHub to ensure the code and install steps are trustworthy. Third-party taps can install arbitrary software. - Prefer running install.sh manually yourself (inspect it line-by-line) rather than letting an agent run it autonomously. The script updates brew, installs packages, and starts a LaunchAgent service. - Because the skill is marked always: true, it will be force-included in every agent run; consider removing or disabling the skill unless you need that behavior. - No credentials are requested by the skill, and the runtime scripts only contact localhost for the API, but network activity to fetch the Homebrew tap and packages will occur. Only install on a machine you control and trust. If you want help auditing the Homebrew formula or reviewing the tap's repository, provide the tap URL and I can list the specific install actions to check.

Like a lobster shell, security has layers — review code before you run it.

Apple Siliconvk975c7ns0zmxhsbrakepf9ajh580xc6tMac minivk975c7ns0zmxhsbrakepf9ajh580xc6tMacBookvk975c7ns0zmxhsbrakepf9ajh580xc6tapivk975c7ns0zmxhsbrakepf9ajh580xc6tasrvk975c7ns0zmxhsbrakepf9ajh580xc6taudiovk975c7ns0zmxhsbrakepf9ajh580xc6tcompatiblevk975c7ns0zmxhsbrakepf9ajh580xc6tglmvk975c7ns0zmxhsbrakepf9ajh580xc6tglm-asrvk975c7ns0zmxhsbrakepf9ajh580xc6tglm-asr-nano-2512vk975c7ns0zmxhsbrakepf9ajh580xc6tglm-asr-nano-2512-8bitvk975c7ns0zmxhsbrakepf9ajh580xc6tlatestvk975c7ns0zmxhsbrakepf9ajh580xc6tlocalvk975c7ns0zmxhsbrakepf9ajh580xc6tmacOSvk975c7ns0zmxhsbrakepf9ajh580xc6tmlxvk975c7ns0zmxhsbrakepf9ajh580xc6tmlx-audiovk975c7ns0zmxhsbrakepf9ajh580xc6tmlx-audio-servervk975c7ns0zmxhsbrakepf9ajh580xc6topenaivk975c7ns0zmxhsbrakepf9ajh580xc6topenai-compatiblevk975c7ns0zmxhsbrakepf9ajh580xc6tservervk975c7ns0zmxhsbrakepf9ajh580xc6tspeech-to-textvk975c7ns0zmxhsbrakepf9ajh580xc6tsttvk975c7ns0zmxhsbrakepf9ajh580xc6ttext-to-speechvk975c7ns0zmxhsbrakepf9ajh580xc6ttranscriptionvk975c7ns0zmxhsbrakepf9ajh580xc6tttsvk975c7ns0zmxhsbrakepf9ajh580xc6t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis
OSmacOS
Binsbrew

Comments