ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Speech Recognition Local

v1.0.3

本地语音转文字 / Local Speech-to-Text. 使用 faster-whisper 在本地运行 Whisper 模型,无需 API 费用,完全免费。收到语音消息(.ogg .m4a .mp3)自动触发转录,支持中文/英文/日语/自动检测。| Free local STT/TTS alternati...

0· 216·2 current·2 all-time
bylllleo@zktufo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: a local transcription script using faster-whisper. However the description's 'fully offline' claim conflicts with the documented '首次使用自动下载' (first-use auto-download) behavior — initial model download requires network access.
Instruction Scope
SKILL.md instructs the agent to run a single local script with an audio file and optional language. The script only reads the provided audio file and model artifacts; it does not reference unrelated system files, environment variables, or external endpoints in its code. No data exfiltration is present.
Install Mechanism
There is no install spec (low installation risk). SKILL.md says 'faster-whisper(首次使用自动安装)', but the script contains no auto-install logic (it simply imports faster_whisper). That mismatch means the user/agent must ensure faster-whisper and model artifacts are present; otherwise the script will fail and the model download will be triggered by the library at runtime.
Credentials
No environment variables, credentials, or config paths are requested. The skill does not ask for unrelated secrets or elevated access.
Persistence & Privilege
The skill does not request permanent presence (always=false) and does not modify other skills or system-wide agent settings. It caches the model in memory during a run, which is expected behavior.
What to consider before installing
This skill is generally coherent with its stated purpose (local STT using faster-whisper) but check a few things before installing: 1) The script imports faster_whisper but does not install it for you — install faster-whisper (and its dependencies) in your environment first. 2) The first run will typically download model weights from the internet (Hugging Face or the library's source), so it is not strictly 'fully offline' until you pre-download and cache the model; expect bandwidth and storage usage. 3) Review available disk space and the 25MB per-file limit. 4) If privacy is critical, pre-download model files manually in a controlled environment so the runtime doesn't fetch them from external servers. 5) If you want automated dependency installation, consider adding a vetted install step (pip/conda) or run in an isolated virtualenv. These mismatches look like sloppy documentation rather than malicious intent, but verify dependencies and initial model download behavior before trusting with sensitive audio.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dcn6k9dcafh1c19vgz65mv983rra5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎙️ Clawdis
OSLinux · macOS · Windows

Comments