Skillv1.0.0

ClawScan security

Openai Whisper Api · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 11, 2026, 8:21 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions match its stated purpose (calling OpenAI's /v1/audio/transcriptions with curl using an OPENAI_API_KEY); nothing in the files indicates unexpected data exfiltration or unrelated privileges.
Guidance: This skill is coherent for transcribing audio with OpenAI's Speech-to-Text API: it invokes curl to upload a local audio file to https://api.openai.com/v1/audio/transcriptions and requires an OPENAI_API_KEY. Before installing, ensure you (1) are comfortable providing an OpenAI API key (the script will send the audio to OpenAI), (2) have curl available on the host, and (3) if you choose to store the key in ~/.clawdbot/clawdbot.json, protect that file with strict permissions (chmod 600) or prefer environment variables to avoid plaintext storage. Also be aware of a small metadata mismatch in the registry (the top-level metadata omitted the declared requirement for curl and OPENAI_API_KEY in SKILL.md) — make sure the agent runtime will expose OPENAI_API_KEY when you run this skill.

Purpose & Capability: noteThe skill's name/description (Whisper transcriptions) align with the included script which uses curl to call api.openai.com and uploads an audio file. Minor documentation inconsistency: top-level registry metadata lists no required env/bins, but SKILL.md metadata and the script require curl and OPENAI_API_KEY.
Instruction Scope: okSKILL.md and scripts/transcribe.sh limit activity to reading the provided audio file, calling OpenAI's transcription endpoint, and writing the transcript to a local path. The script does not read unrelated files or send data to any third-party endpoints other than api.openai.com.
Install Mechanism: okNo install spec; the skill is instruction-only with a small included shell script. Nothing is downloaded or written to system locations during install.
Credentials: noteThe only required credential is OPENAI_API_KEY, which is appropriate for this API. Note the SKILL.md suggests storing a key in ~/.clawdbot/clawdbot.json — storing API keys in plaintext files has risk if file permissions are lax. Also callout the mismatch between registry-level 'no required env' and the SKILL.md's declared requirements.
Persistence & Privilege: okSkill does not request persistent/system-wide privileges, does not set always:true, and does not modify other skills or global agent settings.