Oathe Security Badge

Is skill/parakeet-local-asr safe?

https://clawhub.ai/skill/parakeet-local-asr

85
SAFE

This skill appears to legitimately set up NVIDIA Parakeet ASR for local speech-to-text processing. However, it downloads and executes code from an external GitHub repository without showing what that code does, creating a security risk. No malicious behavior was detected during installation and all security canaries remained intact.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (4)

HIGH External Code Download and Execution -40

The bootstrap.sh script downloads code from an external GitHub repository (https://github.com/rundax/parakeet-asr.git) and executes a setup.sh script whose contents are not visible in this audit. This creates a security risk as the external code could be malicious or compromised.

LOW Potential Data Access Risk -10

While no exfiltration was detected, the external setup.sh script could potentially access sensitive data since its contents are unknown.

LOW External Network Connections -15

The skill makes connections to external services during installation, though these appear legitimate.

MEDIUM Supply Chain Risk -30

The skill creates a dependency on external code that could be modified maliciously in the future, creating ongoing supply chain risk.