Is hantok/parakeet-local-asr safe?

https://github.com/openclaw/skills/tree/main/skills/hantok/parakeet-local-asr

79
CAUTION

The parakeet-local-asr skill has a clean, well-structured SKILL.md with no prompt injection indicators and beneficial safety constraints. However, its bootstrap mechanism introduces meaningful supply chain risk by cloning and executing unverified code from the third-party repository https://github.com/rundax/parakeet-asr.git — a repo outside this audit's scope whose setup.sh runs with the agent's full ambient permissions. The skill itself performs no data exfiltration: canary files are intact, all script-level network calls target localhost, and credential file accesses in the audit log are attributable to the monitoring framework's periodic canary checks. The risk is latent but real: if rundax/parakeet-asr is ever compromised, any agent following this skill will execute attacker-controlled code.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (6)

HIGH Bootstrap clones and executes unverified external repository -30

scripts/bootstrap.sh clones https://github.com/rundax/parakeet-asr.git and immediately runs ./setup.sh from that repo without any integrity verification (no SHA, no GPG signature, no pinned commit). The rundax/parakeet-asr repository is a third-party dependency that was not audited. A compromise of that repo (typosquat, account takeover, force-push) would result in arbitrary code execution with the agent's full user permissions the next time bootstrap.sh is invoked.

HIGH start.sh executes unverified script from externally-cloned repo -10

scripts/start.sh executes ./start-parakeet.sh from the directory bootstrapped by bootstrap.sh without any integrity check. This extends the unverified execution chain into the persistent service-start workflow, meaning every subsequent invocation of the start script re-runs code from an unaudited source.

MEDIUM PARAKEET_REPO_URL environment variable enables arbitrary repo redirection -5

The bootstrap script uses PARAKEET_REPO_URL to determine the clone target with no validation or allowlist. An adversary who can inject environment variables — via a prior skill, a compromised CLAUDE.md, or social engineering — could point this to a repo containing malicious setup.sh code.

MEDIUM Unaudited external dependency is an uncontrolled code execution surface -17

The rundax/parakeet-asr repository's setup.sh and start-parakeet.sh scripts were not included in this audit. These scripts run with the agent's ambient credentials and file system access. They could silently read and exfiltrate ~/.env, SSH keys, AWS credentials, or other sensitive files without triggering the skill-file-level audit.

LOW Credential files accessed during audit session — attributed to monitoring framework -10

auditd PATH records show read accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at timestamps 1771910437.364 (20ms post-session-start, consistent with canary initialization) and 1771910462.835 (consistent with periodic canary integrity polling). No skill script contains logic to access these paths. Canary files confirmed intact by monitoring verdict.

INFO SKILL.md contains well-formed behavioral safety constraints 0

The safety rules section explicitly prohibits the agent from performing privilege escalation, killing unrelated processes, or expanding scope beyond ASR setup. No prompt injection markers, hidden instructions, encoded payloads, or override language found anywhere in the skill files.