Skillv1.6.0

ClawScan security

Funasr Transcribe · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 11:07 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality matches its description (multi‑speaker transcription) but its runtime instructions and helper scripts perform system-level installs/patching, reference an undeclared environment variable, and a prompt‑injection signal was detected — review before running, and run in an isolated environment.
Guidance: This skill appears to implement a real multi-speaker transcription pipeline and is coherent with its name, but it does things you should not run blind: it will install system packages and Python libraries, and it includes a script that patches an installed FunASR package file in site-packages (potentially system-wide and may require sudo). If you want to use it: (1) inspect patch_clustering.py and setup_env.sh line-by-line before running, (2) prefer running inside an isolated environment (container or VM) and as a non-root user, (3) avoid enabling the optional LLM cleanup (--model) if transcripts contain sensitive data unless you trust the chosen provider and have appropriate credentials, (4) note the skill references CLAUDE_PLUGIN_ROOT (ensure the platform provides that safely), and (5) if you are uncomfortable with automated patching of site-packages, run the transcribe pipeline manually after installing dependencies yourself or ask the author for a safer install mode. Because a prompt-injection pattern was detected in the SKILL.md, treat embedded instructions that affect agent behavior or system prompts with extra caution.
Findings: [system-prompt-override] unexpected: The pre-scan detected a prompt-injection pattern in SKILL.md. The skill's documentation and scripts appear to be legitimate for transcription, but any instruction content that attempts to override system prompts should be reviewed carefully. The SKILL.md explicitly instructs setting SCRIPTS from CLAUDE_PLUGIN_ROOT and includes many runtime directives — verify nothing attempts to change agent system prompts or persist new system-level policies.

Review Dimensions

Purpose & Capability: noteName/description match the included code: scripts perform ASR, diarization, post‑processing, optional LLM 'cleanup', hotword biasing, and speaker gender inference — all coherent for a transcription skill. Notable capabilities: speaker gender classification and an explicit clustering patch (modifies FunASR internals) which are beyond a minimal transcribe helper but plausible for long-meeting support.
Instruction Scope: concernSKILL.md instructs running the bundled scripts (e.g., setup_env.sh and transcribe_funasr.py) and to set SCRIPTS=${CLAUDE_PLUGIN_ROOT}/... — CLAUDE_PLUGIN_ROOT is referenced but not declared in the skill metadata. The docs explicitly allow sending transcript excerpts to external LLM providers when --model is used (this is opt‑in and documented). The presence of a pre-scan 'system-prompt-override' signal in SKILL.md raises concern about prompt-injection attempts in the instructions content.
Install Mechanism: concernNo registry install spec, but bundled setup_env.sh will: (1) attempt to install ffmpeg via apt-get or brew (may invoke sudo), (2) create a Python venv and pip install torch, funasr, modelscope, boto3, and (3) run patch_clustering.py which modifies files inside the installed FunASR package in site-packages. Installing packages via pip and system package managers is expected for this task, but the automated modification of an installed third‑party package is a higher‑risk action and should be inspected before running.
Credentials: noteThe skill declares no required env vars and lists optional LLM-related variables (AWS_REGION, ANTHROPIC_API_KEY, OPENAI_API_KEY, OPENAI_BASE_URL) for the opt‑in LLM cleanup — this is proportionate. However the instructions reference CLAUDE_PLUGIN_ROOT (not declared) and the LLM code will, if used, rely on provider credentials (AWS credentials via standard chain or explicit API keys).
Persistence & Privilege: concernalways:false and the skill does not request permanent inclusion, but the setup script writes to disk (venv, installed packages) and patch_clustering.py edits files in site-packages (system/global Python package). That system‑level modification is a persistence/privilege concern and may require sudo; it changes third‑party library code outside the skill directory.