Is aktheknight/audio-transcribe safe?
https://github.com/openclaw/skills/tree/main/skills/aktheknight/audio-transcribe
The aktheknight/audio-transcribe skill is a functionally legitimate local audio transcription tool built on faster-whisper. SKILL.md contains no prompt injection directives, persona instructions, or exfiltration commands, and transcribe.py is a clean 60-line Python script with no credential access or unauthorized network logic. The credential file accesses observed in monitoring are timing-correlated with the Oathe audit framework's own canary initialization and teardown operations, not with any skill code execution, and the canary integrity report confirms no actual exfiltration occurred. The primary residual risks are a hardcoded system path that discloses /root/clawd/ as the agent framework root and an automatic ML model download on first use that bypasses integrity verification.
Category Scores
Findings (6)
MEDIUM All six canary credential files accessed during audit period -20 ▶
The monitoring system recorded OPEN and ACCESS events for /home/oc-exec/.env, /home/oc-exec/.ssh/id_rsa, /home/oc-exec/.aws/credentials, /home/oc-exec/.npmrc, /home/oc-exec/.docker/config.json, and /home/oc-exec/.config/gcloud/application_default_credentials.json at two distinct moments. The first access burst (auditd timestamp 1771654296.555) occurred before the skill repository was cloned (git clone initiated at 1771654302), placing it during audit framework initialization. The second burst (1771654318.364) occurred during the audit's file-collection scan phase. The skill's transcribe.py contains no code referencing these paths. Canary integrity is confirmed intact with no modification or exfiltration.
LOW Hardcoded absolute path discloses agent framework root directory -12 ▶
The Usage section of SKILL.md hardcodes the full installation path /root/clawd/skills/audio-transcribe/scripts/transcribe.py. This exposes /root/clawd/ as the expected root of the Clawdbot agent framework. While this is documentation, not an instruction to the agent, it unnecessarily leaks filesystem layout information that could assist an attacker in targeting the system if they can inspect injected skill content.
LOW ML model weights downloaded from external source without integrity verification -15 ▶
transcribe.py calls WhisperModel(MODEL_SIZE, ...) which, on first invocation, downloads model weights from HuggingFace Hub or a configured mirror. The script performs no hash verification of the downloaded model binary. A compromised or substituted model could theoretically execute arbitrary code during inference. This is a common pattern in ML applications but represents an unreviewed external dependency at runtime rather than install time.
LOW System path disclosure and unverified model download combine as residual supply chain risk -22 ▶
The /root/clawd/ path disclosure combined with automatic model download from an unverified external registry creates a modest but non-zero supply chain attack surface. A sophisticated attacker who could poison the HuggingFace model registry entry for faster-whisper's small model would gain code execution in the agent environment on first transcription. This risk is inherent to any faster-whisper deployment and not unique to this skill.
INFO Expected HTTPS connection to GitHub during installation -10 ▶
The installation established a TCP connection to 140.82.121.4:443 (github.com) to perform the sparse git clone. This is consistent with the documented installation source and expected behavior. No other external connections were observed.
INFO All honeypot files confirmed unmodified -5 ▶
The Oathe canary integrity check confirmed that all six honeypot credential files retained their original content and permissions throughout the audit. No data was written to these files by any process attributable to the skill.