← Back to Skills Marketplace
Whisper Local Api
by
Roman Slysh
· GitHub ↗
· v1.0.0
526
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install whisper-local-api
Description
Secure, offline, OpenAI-compatible local Whisper ASR endpoint for OpenClaw. Features faster-whisper (large-v3-turbo), built-in privacy with no cloud telemetr...
Usage Guidance
This skill appears to implement a local Whisper API but relies on cloning and running code from a remote repository and installing Python packages, which undermines the '100% offline' claim. Before installing: (1) inspect the remote repository (the default repo URL or any WHISPER_REPO_URL you set) and review its run_server.sh and requirements.txt for network calls or telemetry; (2) run the bootstrap/start steps inside a disposable VM or container; (3) be prepared that model weights may be downloaded at runtime (network access) and could be large; (4) if you need strict offline guarantees, obtain vetted offline artifacts (server code and model files) and set WHISPER_DIR to a local copy instead of cloning; (5) avoid supplying third-party WHISPER_REPO_URLs unless you trust the source.
Capability Analysis
Type: OpenClaw Skill
Name: whisper-local-api
Version: 1.0.0
The skill is classified as suspicious due to a significant supply chain vulnerability. The `scripts/bootstrap.sh` file allows overriding the `WHISPER_REPO_URL` environment variable, which dictates the Git repository to clone and execute. If an attacker can control this variable, they could inject a malicious repository, leading to arbitrary code execution during the setup phase. Additionally, the `SKILL.md` indicates the service binds to `0.0.0.0` by default, which, while warned about, exposes the service on all network interfaces, increasing the attack surface if the host is not properly firewalled. There is a benign prompt injection instruction in `SKILL.md` ('Ask before any package-manager operations') which aims to enhance safety, not to cause harm.
Capability Assessment
Purpose & Capability
The skill claims '100% offline & private' but the provided bootstrap script clones a remote GitHub repository (default REPO_URL) and runs code from that repo. Model weights and runtime behavior are not included in the skill bundle, so network access will be required to obtain the server code and likely model files—this contradicts the offline guarantee in the description.
Instruction Scope
Runtime instructions direct the operator to run bootstrap.sh, start.sh, healthcheck.sh, and a smoke-test. bootstrap.sh creates a venv and runs 'pip install -r requirements.txt' from the cloned repo; start.sh invokes an external run_server.sh from the cloned repo. The skill executes code that is not bundled with the skill (the remote repo) which may perform arbitrary operations (network I/O, telemetry, filesystem changes). The included scripts use curl only against localhost, but there is no assurance the remote repo will not contact external endpoints.
Install Mechanism
No registry install spec is declared, but bootstrap.sh clones a GitHub repository (https://github.com/Hantok/local-whisper-backend.git by default) and installs Python packages from its requirements.txt. GitHub is a well-known host (lower risk than arbitrary IPs or paste sites), but cloning + pip install means remote code will be fetched and executed—this is a moderate install risk and requires network access.
Credentials
The skill declares no required credentials or sensitive env vars. It does accept optional overrides (WHISPER_DIR, WHISPER_REPO_URL, WHISPER_HEALTHCHECK_URL, WHISPER_API_URL). No secrets are requested. Note: WHISPER_REPO_URL can be set to any repository, which if misused could cause arbitrary code to be installed.
Persistence & Privilege
The skill does not request always:true, does not modify other skills' configs, and does not request elevated or persistent platform privileges. start.sh launches run_server.sh as a background process under the user account; there is no automatic systemd/cron installation in the provided scripts.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install whisper-local-api - After installation, invoke the skill by name or use
/whisper-local-api - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Whisper Local API 1.0.0 – Initial Release
- Launches a secure, 100% offline OpenAI-compatible Whisper ASR endpoint for OpenClaw.
- Utilizes faster-whisper with the large-v3-turbo model for high-accuracy, privacy-first speech-to-text.
- Lightweight; low RAM usage (~400-500MB) suitable for edge and VPS environments.
- Built-in local API for OpenAI Whisper-compatible `/v1/audio/transcriptions` calls, no cloud required.
- Includes simple scripts for install, startup, health checking, and smoke testing with audio files.
Metadata
Frequently Asked Questions
What is Whisper Local Api?
Secure, offline, OpenAI-compatible local Whisper ASR endpoint for OpenClaw. Features faster-whisper (large-v3-turbo), built-in privacy with no cloud telemetr... It is an AI Agent Skill for Claude Code / OpenClaw, with 526 downloads so far.
How do I install Whisper Local Api?
Run "/install whisper-local-api" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Whisper Local Api free?
Yes, Whisper Local Api is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Whisper Local Api support?
Whisper Local Api is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Whisper Local Api?
It is built and maintained by Roman Slysh (@hantok); the current version is v1.0.0.
More Skills