Local Whisper (cpp)
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent local transcription wrapper, with the main caution being a user-directed model download from a remote URL into a system directory without checksum or pinning.
This skill appears safe for its stated purpose if you already trust your local whisper-cli installation. Before installing the model, verify the Hugging Face download source and consider using a pinned or checksum-verified model file, especially because the documented path is under /usr/share and may require elevated permissions.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the remote model changes or is tampered with, transcription quality or behavior could change; writing to /usr/share may also require administrator-level access.
The setup downloads a required model from a mutable remote URL into a system directory without a checksum or pinned artifact version. This is purpose-aligned for local transcription, but users should notice the provenance and privilege implications.
wget https://huggingface.co/ggerganov/whisper.cpp/resolve/main/ggml-large-v3-turbo.bin?download=true -O /usr/share/whisper.cpp-model-large-v3-turbo/ggml-large-v3-turbo.bin
Use a trusted packaged model or verify the downloaded file with a published checksum, and only write to system directories when you understand the required permissions.