local-vosk

clawhub:local-vosk

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

100/100

LOW 2

Findings (2)

LOW

pip install arbitrary package EXTDL_009

external-download L42

Detects pip install of arbitrary packages that modify the host environment

pip3 install vo

FIX

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

FP?

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.

LOW

Download binary or archive from URL EXTDL_016

external-download L46

Detects downloading binary, archive, or installer files from remote URLs

wget https://alphacephei.com/vosk/models/vosk-model-small-en-us-0.15.zip

FIX

Verify the integrity of downloaded binaries or archives using SHA-256 checksums or GPG signatures. Pin download URLs to specific versions and avoid fetching from unverified sources.

FP?

Likely FP if the download is from github.com or githubusercontent.com for a specific tagged release with documented checksums.