Speech is Cheap Transcribe
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent transcription wrapper, but it sends selected media, URLs, and a service API key to Speech is Cheap, so use it only with content you are comfortable sharing.
Install this only if you trust Speech is Cheap with the audio, URLs, and transcripts you choose to process. Keep SIC_API_KEY secret, use --private for sensitive media, and avoid letting untrusted content supply webhook URLs or unusual command options.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted or poorly handled command argument could cause transcription jobs to fail or use unexpected request parameters.
The script manually interpolates agent/user-supplied strings into a JSON request instead of using a JSON encoder. This is purpose-aligned, but special characters in arguments could malformed or alter the provider API request.
--url) URL="$2"; shift ;; ... JSON_DATA=$(cat <<EOF ... "input_url": "$URL", ... "webhook_url": "$WEBHOOK", ... EOF
Use trusted command arguments, avoid letting untrusted page/session text choose webhook or advanced options unattended, and prefer a future version that builds JSON with a proper encoder such as jq or Python.
Anyone with access to the environment variable could use the linked Speech is Cheap account and potentially consume paid transcription credits.
The skill requires a Speech is Cheap API key and sends it as a bearer token to the service. This is expected for the stated provider integration, with no hardcoded key or logging shown.
if [ -z "$SIC_API_KEY" ]; then ... -H "Authorization: Bearer $SIC_API_KEY"
Store SIC_API_KEY as a secret, use a revocable or least-privilege key if the provider supports it, and monitor account usage.
Audio files, URLs, transcripts, and callback payloads may be sent outside the local machine to the provider or to a configured webhook endpoint.
Local files can be uploaded to the provider, and an optional webhook can receive job completion data. Private mode is supported but defaults to false unless the user supplies --private.
UPLOAD_BASE="https://upload.speechischeap.com/v2" ... -F "input_file=@$FILE" ... -F "webhook_url=$WEBHOOK" ... PRIVATE=false
Only transcribe media you are allowed to share with the provider, use --private for sensitive jobs, and set webhooks only to endpoints you control and trust.