Voicenotes Official
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: voicenotes-official Version: 1.0.3 The skill bundle is benign. It provides clear instructions for integrating with the Voicenotes API using `curl` and explicitly includes detailed input sanitization guidelines in `SKILL.md` to prevent common vulnerabilities like shell injection and JSON injection. All network requests are directed to the legitimate `api.voicenotes.com` domain, and there is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent flow with this key may be able to access the user’s Voicenotes data through the documented API.
The skill requires a Voicenotes API key and uses it as an Authorization header for account API access. This is expected for the integration, but the key is sensitive.
requires:\n env:\n - VOICENOTES_API_KEY ... All requests need the Authorization header ... -H "Authorization: $VOICENOTES_API_KEY"
Use a dedicated Voicenotes integration key if available, store it only in the intended OpenClaw configuration, and revoke or rotate it if exposed.
Private voice-note transcripts may be shown to the agent, and old note text could influence responses if the agent treats retrieved content as authoritative.
The skill is designed to retrieve persistent user notes and full transcripts into the agent context. That content can be private and should be treated as data, not trusted instructions.
search semantically, retrieve full transcripts ... "transcript": "Full transcript text with <br> for line breaks..."
Ask the agent to retrieve only relevant notes, avoid storing secrets in Voicenotes, and treat transcript text as untrusted reference material.
The agent could add content to the user’s Voicenotes account when asked or if the workflow invokes that operation.
The documented API includes a POST operation that creates a new text note. This is purpose-aligned but mutates the user’s Voicenotes account.
Create a text note in Voicenotes: curl -X POST "https://api.voicenotes.com/api/integrations/open-claw/recordings/new" ... "transcript": "note content here"
Require clear user intent or confirmation before creating notes, especially for sensitive or long-form content.
A user may rely on the official branding when deciding to provide an API key.
The registry information presents the skill as official but lists the source as unknown. The documented calls are scoped to Voicenotes endpoints, but users should still verify provenance before entering an API key.
Name: Voicenotes Official ... Source: unknown ... Homepage: https://voicenotes.com
Verify the skill listing or owner through Voicenotes’ official website or documentation before configuring the API key.