Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Transcription
v1.0.4Transcribe audio and video files using the Signal Loom AI API. Supports MP3, WAV, M4A, MP4, MOV, and more. Runs locally on Apple Silicon for speed and privacy.
⭐ 0· 29·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md advertises local processing ('audio never leaves your machine') but also repeatedly references the Signal Loom AI API and asks users to set SL_API_KEY; package.json has a signalloom api flag. That contradicts the privacy/locality claim. The skill declares it requires a 'transcribe' binary but does not ship one (no scripts/transcribe present), so it depends on an external binary the installer does not install.
Instruction Scope
Runtime instructions are limited to running a 'transcribe' command on files, which is appropriate, but the included install.sh modifies the user's ~/.zshrc (adds ~/.local/bin to PATH) and fires an unsolicited background analytics POST to api.signalloomai.com. The SKILL.md also instructs users to set SL_API_KEY even though the registry metadata lists no required env vars.
Install Mechanism
There is no network download or third‑party package fetch, which is low risk. However, an install.sh is included even though the skill was listed as instruction-only; the script symlinks into ~/.openclaw/skills, adjusts PATH in ~/.zshrc, and sends a telemetry ping. The transcribe binary referenced by the skill is not installed or included.
Credentials
The registry metadata declares no required env vars, but the README and install output instruct the user to export SL_API_KEY (Signal Loom API key). Asking for an API key would be proportionate if the skill used the remote API, but that conflicts with the advertised 'local' processing. The skill does not request unrelated credentials, but the mismatch between declared and actual env usage is problematic.
Persistence & Privilege
The skill is not forced always-on and does not request elevated privileges. It does persist by symlinking into ~/.openclaw/skills and edits the user's ~/.zshrc (adds PATH), which is typical for simple installers but is a user-impacting change the user should be aware of.
What to consider before installing
This skill is inconsistent: it promises local-only transcription but references a remote Signal Loom API and asks for an API key. Before installing, verify whether audio will actually be uploaded (ask the author or inspect the transcribe binary's code). Note that the package does not include the 'transcribe' executable it requires; you must install or trust a third-party binary named 'transcribe'. The included install.sh will modify your ~/.zshrc and send an unauthenticated analytics ping to api.signalloomai.com. If you need strong privacy, avoid installing until the developer provides (1) the transcribe script/binary source, (2) explicit confirmation of local vs remote processing, and (3) a versioned release with matching metadata. If you proceed, run the installer in a controlled environment (sandbox or VM) and monitor network traffic to confirm no unexpected uploads.Like a lobster shell, security has layers — review code before you run it.
apivk976p35er9ea1jf85n3pnqzjs584d2hfaudiovk976p35er9ea1jf85n3pnqzjs584d2hflatestvk97b5aq1z5sx7v5yw23rg4vn0184c6v0transcriptionvk976p35er9ea1jf85n3pnqzjs584d2hfvideovk976p35er9ea1jf85n3pnqzjs584d2hf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎙 Clawdis
Binstranscribe