telegram-whisper-transcribe Security Report — Trusted | ClawSafe

5 /100

telegram-whisper-transcribe

Standalone Telegram bot for voice message transcription via OpenAI Whisper API

Legitimate Telegram transcription bot using OpenAI Whisper API with transparent, documented behavior and no hidden or malicious functionality.

Skill Nametelegram-whisper-transcribe

Duration30.2s

Enginepi

✓

Safe to install

Approve for use. Consider pinning dependency versions in install.sh for supply-chain hygiene.

Findings 1 items

Severity	Finding	Location
Low	Unpinned Python dependencies Supply Chain install.sh installs python-telegram-bot and openai without version constraints, accepting any available version. `$BOT_DIR/venv/bin/pip install -q python-telegram-bot openai` → Pin versions: python-telegram-bot>=20.0 openai>=1.0 to prevent unexpected supply-chain updates	`scripts/install.sh:24`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✓ Aligned	install.sh:23-25 creates bot.py, venv, .env in $HOME
Network	`NONE`	`READ`	✓ Aligned	bot.py:45-57 calls Telegram API and OpenAI Whisper API only
Shell	`NONE`	`ADMIN`	✓ Aligned	install.sh:44-48 uses systemctl for service management (declared in SKILL.md sys…
Environment	`READ`		✓ Aligned	bot.py:22-23 reads TELEGRAM_BOT_TOKEN and OPENAI_API_KEY (declared in env_vars)
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation detected
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser access
Database	`NONE`	`NONE`	—	No database access

3 files · 7.5 KB · 261 lines

Python 1f · 102L Markdown 1f · 100L Shell 1f · 59L

├─ ▾ 📁 scripts

│ ├─ 🐍 bot.py Python 102L · 3.2 KB

│ └─ 🔧 install.sh Shell 59L · 1.4 KB

└─ 📝 SKILL.md Markdown 100L · 2.9 KB

Package	Version	Source	Known Vulns	Notes
`python-telegram-bot`	`*`	pip	No	Version not pinned — lowest risk given widely-used library
`openai`	`*`	pip	No	Version not pinned — lowest risk given official OpenAI SDK

✓ All network calls are to documented, legitimate endpoints (Telegram Bot API and OpenAI Whisper API)

✓ Credentials are stored with correct restrictive permissions (chmod 600 .env)

✓ No credential harvesting — API keys are used locally, never exfiltrated

✓ No subprocess, eval, base64, or obfuscation patterns detected

✓ No hidden HTML comments or embedded instructions

✓ Clean separation: bot.py is a straightforward single-responsibility transcription service

✓ Temp files are properly cleaned up after transcription

✓ Error handling present with user-friendly feedback

✓ SKILL.md accurately describes all behavior including systemd service setup

✓ install.sh has no curl|bash remote execution patterns