Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
turbo-whisper-local-stt
v1.0.4当用户想要**音频转文字**、**语音转文本**、**转录录音**、**生成字幕**、**会议录音转文字**、**语音笔记转文本**、**本地转录音频**时自动触发。 使用本地 Faster-Whisper(large-v3-ct2 等模型)进行高性能、中文优先的音频转文字,完全离线、隐私安全,支持 wav/mp...
⭐ 0· 163·0 current·0 all-time
by顶尖王牌程序员@wangminrui2022
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (local Faster‑Whisper STT) align with the included scripts: transcribe.py, env_manager, ensure_package, etc. The code only implements audio transcription, model download, VAD segmentation, batch recursion and output formatting as advertised.
Instruction Scope
SKILL.md instructs the agent to run scripts/transcribe.py with an audio path; the script follows that contract (accepts file or directory and only processes audio extensions). It also performs environment checks (Python version), creates a virtualenv, detects GPU via nvidia-smi, and installs packages. These bootstrap actions are within reason for a self-contained local tool but widen the scope beyond 'just transcribe' because they modify filesystem state and can install packages.
Install Mechanism
There is no packaged install spec in registry metadata; instead the skill bootstraps at runtime: it creates a venv, runs pip installs (using Tsinghua mirror and PyTorch download URLs) and uses huggingface_hub.snapshot_download to fetch models. The hosts used (pypi / download.pytorch.org / huggingface.co) are expected and reputable, but the runtime install will download large artifacts (PyTorch wheels, model files) and execute installation commands on the host. This is heavy but coherent for the purpose.
Credentials
The skill does not request credentials or environment variables. It will create a virtual environment and directories (models/, logs/) under projected paths. One noteworthy design choice: VENV_DIR is set to SKILL_ROOT.parent.parent.parent / 'venv', which places the virtualenv outside the skill folder (likely a shared 'skills/venv' location). That is not obviously malicious but is a broader filesystem footprint than a self-contained venv inside the skill directory.
Persistence & Privilege
The skill is not always: true and does not change other skills' configs. It does persist artifacts (virtualenv, installed packages, downloaded models, logs) on disk and may create a shared venv location. Autonomous invocation is allowed (default) which is normal; combined with the ability to run installs and downloads, this increases the operational impact but is expected for this kind of skill.
Assessment
This skill appears to do what it says: a local, offline-friendly STT tool using Faster‑Whisper. Before installing or invoking it, consider:
- Resource & network: the first run will create a virtualenv and install packages (including PyTorch) and download model files from Hugging Face—these can be gigabytes and take time/bandwidth.
- Disk footprint & location: it will write models/, logs/, and create a venv directory (the code places the venv one directory above the skill root, which may be shared across skills). If you prefer isolation, run it in a controlled environment (container / VM) or edit config to point the venv/models to locations you control.
- Permissions: it uses subprocess to run pip and nvidia-smi and will execute the installed Python in the created venv; review the code if you need stricter controls.
- Offline options: if you are concerned about downloads, pre-download the model and pass --model_path to avoid remote snapshot_download.
If you accept automatic installs and large downloads from PyPI/Hugging Face and are comfortable giving the script filesystem write access where your skills live, this skill is coherent and usable. If not, run it in an isolated environment or modify paths before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97cgwj0vqhvjjp0zfzp27ya4584hrj9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython