ClawHub

Faster Whisper

Security checks across malware telemetry and agentic risk

Overview

The skill is coherently focused on local speech-to-text, with disclosed setup, downloader, and optional Hugging Face token use that users should review but no artifact-backed malicious behavior.

This appears safe to use for its stated purpose. Before installing, be aware that setup installs Python ML packages, URL/RSS transcription downloads external media, and diarization may use your Hugging Face token. Use the minimal flags needed and keep transcription outputs private if the audio contains sensitive content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

If used on a URL or feed, the skill may download external media before transcribing it.

Why it was flagged

The skill can fetch remote media via yt-dlp/RSS as part of transcription. This is disclosed and purpose-aligned, but users should provide trusted URLs and expect network downloads.

Skill content
Transcribe from URLs — YouTube links and direct audio URLs (auto-downloads via yt-dlp); Transcribe podcast feeds — `--rss <feed-url>` fetches and transcribes episodes
Recommendation

Use URL/RSS features only for sources you intend to download and transcribe; otherwise use local-file transcription.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

Using diarization may rely on your local Hugging Face authentication token.

Why it was flagged

The skill declares optional use of a local Hugging Face token path for diarization-related functionality. This is expected for pyannote-style speaker diarization, but it is still credential access.

Skill content
"optionalPaths": ["~/.cache/huggingface/token"]
Recommendation

Only enable diarization or provide `--hf-token` when needed, and avoid pasting tokens into prompts or shared logs.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing the skill can bring in third-party Python package code from the package index.

Why it was flagged

The Python dependency is version-ranged rather than pinned exactly, so setup may install a newer dependency release. This is common for Python ML tools but is a supply-chain consideration.

Skill content
faster-whisper>=1.2.1
Recommendation

Install in the provided virtual environment, review dependencies if you require reproducibility, and pin versions locally if needed.

#
ASI05: Unexpected Code Execution
Low
What this means

Running setup executes local shell commands and modifies the skill directory by creating a virtual environment.

Why it was flagged

The setup script creates a local virtual environment and later installs dependencies. This is a user-directed install flow and matches the local ML transcription purpose.

Skill content
if command -v uv &> /dev/null; then
        uv venv "$VENV_DIR" --python python3
    else
        python3 -m venv "$VENV_DIR"
    fi
Recommendation

Run setup only from the skill directory you trust, and avoid running it with elevated privileges unless you have a separate reason.