Speechmatics
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears legitimate for transcription, but it needs your Speechmatics API key and sends selected audio files to the configured Speechmatics API endpoint.
Before installing, make sure you trust this skill with your Speechmatics API key and with the audio you choose to transcribe. Use the default or another trusted Speechmatics endpoint, keep the API key out of shared files, and review transcripts before taking follow-up actions based on them.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The API key authorizes use of the user's Speechmatics account and may affect account usage or billing.
The script uses a Speechmatics API key from a flag, environment variable, or a specific OpenClaw config field, then sends it as a bearer token to the transcription API. This is expected for the service and appears bounded to the Speechmatics workflow.
api_key="${SPEECHMATICS_API_KEY:-}" ... jq -r '.skills.entries.speechmatics.apiKey // empty' "$cfg" ... -H "Authorization: Bearer ${api_key}"Store the API key securely, avoid putting real keys in shared files, and rotate the key if it is exposed.
Audio content, which may contain private conversations or sensitive information, is sent to Speechmatics or to whatever trusted base URL the user configures.
The script uploads the selected audio file to the configured API base URL. This is central to transcription, but the data boundary depends on the configured endpoint.
base_url="${SPEECHMATICS_BASE_URL:-https://asr.api.speechmatics.com/v2}" ... -F "data_file=@${in}"Only transcribe files you are comfortable sending to the provider, and do not override the base URL unless you trust that endpoint.