use-local-whisper
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill fetches and merges code from a remote Git repository (https://github.com/qwibitai/nanoclaw-whatsapp.git) and subsequently executes npm run build to compile the new logic.
- [COMMAND_EXECUTION]: Utilizes launchctl to unload, load, and restart system services. It also modifies the PATH variable within the user's LaunchAgents configuration file (com.nanoclaw.plist) to include Homebrew directories.
- [EXTERNAL_DOWNLOADS]: Downloads a machine learning model file from Hugging Face (huggingface.co) using curl to facilitate local transcription.
- [COMMAND_EXECUTION]: Executes several shell commands for environment validation, including grep, ls, and binary help checks for whisper-cli and ffmpeg.
- [COMMAND_EXECUTION]: The ingestion of external audio data from WhatsApp for processing by local binaries creates a surface for indirect prompt injection or potential buffer overflow attacks if the processing tools are vulnerable.
Audit Metadata