Skillv1.0.0

ClawScan security

OpenAI Whisper Local · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 4:39 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to be a local Whisper CLI wrapper and mostly coherent, but a few small inconsistencies (notably a mismatched model name and an unverified Homebrew formula origin) warrant caution before installing.
Guidance: This skill is mostly coherent for local transcription: it requires a 'whisper' CLI and suggests installing via Homebrew. Before installing, verify the Homebrew formula's source/tap to ensure it's official or trusted. Confirm the installed 'whisper' binary is the expected project (run 'whisper --version' or inspect the formula). Note that the CLI will download models to ~/.cache/whisper (network activity and disk use) on first run. The SKILL.md's reference to a default model named 'turbo' is inconsistent with common Whisper model names (tiny, base, small, medium, large) — treat that as a possible typo or as an indication the wrapper may do additional work; ask the maintainer or inspect the formula if you need guarantees. Test on non-sensitive audio first, run in a sandbox or non-privileged account if possible, and avoid installing software from unverified taps on production machines.

Review Dimensions

Purpose & Capability: noteThe name/description (local Whisper CLI) match the declared requirement for the 'whisper' binary and the brew install of formula 'openai-whisper'. However, SKILL.md claims the default model is 'turbo' (an LLM-style name) which is not a standard Whisper model name — this mismatch is unexplained and could be a typo or indicate a wrapper that behaves differently than expected.
Instruction Scope: okSKILL.md only instructs running the local 'whisper' CLI against local audio files and saving transcripts; it notes models download to ~/.cache/whisper on first run. There are no instructions to read unrelated files, access environment variables, or post data to unexpected endpoints. Be aware the CLI will download models from the network on first use.
Install Mechanism: noteInstall is via Homebrew formula 'openai-whisper', which is an expected low-risk install mechanism in general. The skill package does not include the brew formula source, so the specific tap/origin of that formula is not verified here — confirm the formula comes from a trusted tap before installing.
Credentials: okNo environment variables, credentials, or config paths are requested. This is proportional for a local CLI transcription tool that doesn't call external APIs requiring keys.
Persistence & Privilege: okThe skill does not request always-on presence and has default autonomy settings. It does not attempt to modify other skills or system-wide settings per the provided metadata.