Back to skill
Skillv1.0.0
ClawScan security
Local Whisper Hardened · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 1:41 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with a local Whisper transcription tool; it requires ffmpeg and local Python packages and does not ask for unrelated credentials or perform unexpected network exfiltration.
- Guidance
- This skill appears coherent for local Whisper transcription, but take these precautions before installing: 1) Confirm you trust the openai-whisper and torch packages and install them only from the documented PyPI/PyTorch index (avoid custom/unknown indexes). 2) Expect large model downloads and substantial disk usage — check available disk space and bandwidth. 3) Use the recommended virtual environment (.venv) to avoid contaminating your system Python. 4) Follow the SAFETY.md guardrails: do not pipe transcriptions to shells or automatic executors and do not upload transcripts to external endpoints without explicit review. 5) If you require higher assurance, inspect the packages you will install (package metadata, checksums, source repo) before running pip and consider installing in an isolated sandbox or offline environment.
Review Dimensions
- Purpose & Capability
- okName/description match the included script and instructions: the CLI transcribes local audio with OpenAI Whisper models, requires ffmpeg and the openai-whisper/torch packages, and documents model sizes and options. Nothing requested (no credentials, no unrelated binaries) is inconsistent with a local STT tool.
- Instruction Scope
- okSKILL.md and SAFETY.md explicitly limit behavior to local transcription, warn against piping outputs to shells or sending transcripts to external endpoints, and the script only reads the provided audio file and outputs text/JSON. There are no instructions to read unrelated system files or to exfiltrate data.
- Install Mechanism
- noteThis is instruction-only (no formal install spec). SKILL.md recommends creating a venv and installing click, openai-whisper, and torch using the official PyTorch CPU index URL — a reasonable, traceable approach. Note: pip installs and model downloads execute code and fetch large model weights over the network, so users should ensure they trust the package sources and have sufficient disk/network resources.
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config paths. That is proportional for a local transcription tool.
- Persistence & Privilege
- okalways is false, the skill is user-invocable only, and it does not request to modify other skills or system-wide agent configuration. It does not require persistent elevated privileges.