Transcribee π
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: transcribee Version: 1.2.1 The skill is classified as benign. It transparently uses `yt-dlp` and `ffmpeg` for media processing and `ElevenLabs` and `Anthropic` APIs for transcription and categorization, which aligns with its stated purpose. External command execution is handled using `execFileAsync`, which is a safer method than `exec` as it prevents shell injection. Output files are saved to a user-owned directory (`~/Documents/transcripts`). There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the OpenClaw agent itself; the prompt engineering observed is for the internal Anthropic LLM used for categorization.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can process local media files and create temporary audio files when you ask it to transcribe them.
The skill invokes local media tooling on user-supplied files as part of transcription. This is expected for the purpose and uses execFile-style argument passing rather than shell string concatenation.
await execFileAsync('ffmpeg', ['-i', videoPath, '-vn', '-acodec', 'aac', '-b:a', '192k', '-y', destAudio]);Run it only on media or URLs you intend to transcribe, and keep yt-dlp/ffmpeg installed from trusted sources.
Using the skill may spend quota or incur charges on your ElevenLabs and Anthropic accounts.
The code requires ElevenLabs and Anthropic API keys, even though registry metadata declares no required environment variables. The keys are purpose-aligned and not shown being logged or hardcoded.
process.env.ELEVEN_LABS_API_KEY ... throw new Error('Missing ELEVEN_LABS_API_KEY in .env'); ... process.env.ANTHROPIC_API_KEY ... throw new Error('Missing ANTHROPIC_API_KEY in .env');Declare and configure only the needed API keys, monitor provider usage, and avoid sharing the .env file.
Private transcript summaries and new transcript content may be sent to an external AI provider for categorization and may influence how future transcripts are organized.
Existing transcript metadata and summaries are reused as context for future categorization, and new transcript content is analyzed by Claude for organization.
Reads existing transcript library from `~/Documents/transcripts/` ... Uses Claude Sonnet 4 to analyze the transcript and decide which single-level category folder to place it in
Do not transcribe highly sensitive media unless you are comfortable with provider processing and persistent local storage; review or separate the transcript library if needed.
Installation may require more local setup and third-party packages than the registry summary suggests.
The repository documents additional runtime dependencies and API-key setup that are not reflected in the registry requirements. The package lock includes pinned integrity data, so this is primarily a metadata completeness issue.
brew install yt-dlp ffmpeg pnpm install # Add your ElevenLabs + Anthropic API keys to .env
Review the README setup steps, install dependencies from trusted package managers, and ensure registry metadata is updated to match the actual requirements.