qwen-asr

This skill is a local transcription service that runs a quantized Qwen ASR model via a FastAPI server on Apple Silicon. The provided documentation and endpoints are consistent with the stated purpose. There are no indicators of direct malicious behavior (no credential harvesting, no obfuscated code, no command-and-control). The primary security concerns are supply-chain and operational: the service downloads model artifacts from a third-party HF mirror on first run (a supply-chain trust decision), accepts arbitrary audio URLs which cause outbound fetches, and encourages persistent auto-start. These are normal for a local ML service but increase the attack surface if the mirror or fetched audio URLs are malicious or if the environment runs the service with excessive privileges. Recommended mitigations: prefer official, pinned model sources or verify downloads, run under a limited user account, restrict network egress where appropriate, and validate or sandbox fetched audio.