Is damirikys/faster-whisper-local safe?

https://github.com/openclaw/skills/tree/main/skills/damirikys/faster-whisper-local

88
SAFE

The faster-whisper-local skill is a legitimate local speech-to-text tool with clean SKILL.md instructions and no prompt injection, exfiltration code, or malicious behaviors. The only material concerns are supply-chain risks inherent to ML tooling: unpinned faster-whisper and PyTorch dependencies and a third-party PyTorch index URL. Canary file accesses in the audit log are attributable to the audit framework's own verification sweeps, not the skill.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 82/100 · 10%
Canary Integrity 96/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

LOW Unpinned PyPI and PyTorch dependencies -10

requirements.txt specifies faster-whisper>=1.0.0 (lower-bound only) and setup.sh installs torch without any version constraint. A future malicious release of either package would be automatically installed.

LOW PyTorch sourced from third-party index URL -8

setup.sh downloads PyTorch from download.pytorch.org/whl/cu121 rather than PyPI. While this is the standard recommended approach by Meta/PyTorch, it bypasses PyPI's audit trail.

LOW Canary file accesses observed (attributed to audit framework) -5

Credential files (.env, .ssh/id_rsa, .aws/credentials, etc.) appear in PATH audit records at two timestamps — 1771939939.255 (pre-install, 5 seconds before skill clone begins) and 1771939958.898 (post-install). Both access patterns are consistent with the audit framework's own canary baseline and verification sweeps. No skill code reads these paths.

LOW openclaw-gateway opens new outbound connections post-install -8

After install, the openclaw-gateway process (pid=1084) establishes connections to 34.233.6.177:443 (AWS) and 104.16.11.34:443 (Cloudflare) and opens listening ports 18790/18793. This is the ClawHub execution platform starting its gateway service, not the skill itself.

INFO ML model downloaded from internet on first run -2

The skill downloads the distil-large-v3 Whisper model (~756MB) from Hugging Face on first transcription. This is standard ML tooling behavior and is disclosed in SKILL.md.

INFO Unrelated skill present in lock.json 0

The .clawhub/lock.json file lists 'academic-research-hub' as a previously installed skill. This is a developer artifact from the skill author's own environment committed accidentally. It has no functional effect.