ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

mlx-whisper

v1.0.0

Local speech-to-text with MLX Whisper (Apple Silicon optimized, no API key).

0· 232·0 current·0 all-time
byShiwen Han@tshogx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The description promises local speech-to-text on Apple Silicon which matches the SKILL.md examples. However, the metadata lists no required binaries or install steps while the instructions repeatedly call a 'mlx_whisper' CLI — that binary (or an install instruction) is necessary for the skill to work and should be declared.
Instruction Scope
Runtime instructions are narrowly scoped to transcription commands (input audio, output formats, model selection) and reference only a user audio path and a local cache (~/.cache/huggingface/). They do not instruct reading unrelated system files or exfiltrating data.
Install Mechanism
There is no install spec (instruction-only), which is low risk, but also inconsistent with the CLI-based instructions. The skill relies on an external 'mlx_whisper' binary being present — the skill should either declare that binary or provide installation instructions or a reputable source.
!
Credentials
The skill declares no environment variables, but it references Hugging Face model identifiers and a huggingface cache location. Some Hugging Face models require authentication (HUGGINGFACE_HUB_TOKEN) or are large downloads; the skill does not acknowledge this or request tokens, which is an omission that could lead to unexpected network access or failure.
Persistence & Privilege
The skill does not request persistent/always-on privileges and does not modify system or other-skill configurations. It will write downloaded models into the user's Hugging Face cache (~/.cache/huggingface/), which is expected for local model use.
What to consider before installing
This is an instruction-only skill that expects a local 'mlx_whisper' CLI and will download model files into ~/.cache/huggingface/. Before installing or using: (1) verify you have a trusted source for the 'mlx_whisper' binary and install it from an official repository; (2) confirm the model 'mlx-community/whisper-large-v3-turbo' is public or whether you need a HUGGINGFACE_HUB_TOKEN (the skill doesn't declare it); (3) be aware downloads may be large and require network access; (4) ensure you are on an Apple Silicon Mac as required. If any of these are unclear from the skill publisher, ask for an install guide and explicit explanation of model provenance and auth requirements.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ezyyts2bp07dtc873qg070s82md17

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments