Is kylehowells/parakeet-mlx safe?

https://github.com/openclaw/skills/tree/main/skills/kylehowells/parakeet-mlx

97
SAFE

The parakeet-mlx skill is a minimal, benign wrapper around a legitimate local speech-to-text CLI tool. SKILL.md contains only straightforward usage instructions with no prompt injection, hidden directives, or attempts to access sensitive resources. All canary files remained intact, network activity during installation was limited to GitHub (expected for monorepo clone) and pre-existing Ubuntu system services, and no executable code was present in the skill bundle. The only notable behavior is that parakeet-mlx downloads ML models from Hugging Face on first use, which is transparently disclosed in the skill itself.

Category Scores

Prompt Injection 99/100 · 30%
Data Exfiltration 96/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 97/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (4)

INFO Hugging Face model auto-download on first use -4

The skill discloses that models are downloaded from Hugging Face to ~/.cache/huggingface on first invocation. This is benign and expected behavior for a local ML inference tool, and is transparently documented in the skill. No data is sent to Hugging Face beyond the model download request.

INFO Skill instructs agent to invoke external binary with file arguments -3

The skill's purpose is to run parakeet-mlx on user-supplied audio paths. If the agent were tricked into supplying a sensitive file path as an audio input, the tool would attempt to process it. This is an inherent property of any file-processing tool skill and is within the documented scope.

INFO Background Canonical/Ubuntu network traffic during install window -3

Connections to 91.189.91.48 and 185.125.188.57 (Canonical infrastructure) were observed. These correspond to pre-existing Ubuntu apt/snap background update processes and are unrelated to skill installation.

INFO lock.json references unrelated skill -5

The .clawhub/lock.json bundled with this skill references 'academic-research-hub' v0.1.0 rather than this skill. This is a stale or shared lock file artifact from the monorepo environment and does not indicate malicious intent or cross-skill dependency.