mlx-whisper
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s purpose is understandable, but it asks OpenClaw to run a wrapper script for voice messages even though that script is not included in the provided files.
Review this skill carefully before installing. The local transcription idea is reasonable, but the package as provided does not include the wrapper script it tells you to install and run. Wait for a complete package, inspect the wrapper script, and consider pinning or verifying the Python package and model sources.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could be asked to configure OpenClaw to run a script that was not included for review, or to obtain a replacement from an unknown source.
The provided file manifest includes only README.md, SKILL.md, and package.json, so the wrapper script that the user is told to install and execute is absent from the reviewed artifacts.
Copy `bin/mlx-whisper-transcribe.sh` from this skill to `<user-base>/bin/mlx-whisper-transcribe.sh`, then make it executable
Do not install until the wrapper script is included in the package and reviewed; avoid substituting scripts from unknown locations.
Voice messages will trigger a local transcription command, and the resulting text will be passed to the agent.
The skill configures OpenClaw to execute a local command automatically for audio files. This is aligned with local transcription, but it is still command execution on media inputs.
"command": "<user-base>/bin/mlx-whisper-transcribe.sh", "args": ["{{MediaPath}}"], "timeoutSeconds": 60Only enable this after confirming the exact script path and contents, and keep the command limited to the intended transcription wrapper.
The installed package or downloaded model could change over time if upstream sources change.
The skill installs a public Python package without a pinned version and later downloads a model; this is expected for the stated purpose but depends on external package/model sources.
pip3 install mlx-whisper
Prefer pinned package versions and verify the model source before relying on it for routine use.