ClawHub

SpeakNotes: YouTube, Audio & Document Summaries

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a legitimate SpeakNotes integration, but it will use your SpeakNotes API key and send selected media, documents, or YouTube links to SpeakNotes for processing.

Before installing, make sure you are comfortable storing a SpeakNotes API key and sending selected files, URLs, and note data to SpeakNotes. Use a dedicated revocable API key and only process content you are willing to share with that service.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

OpenClaw can use the saved SpeakNotes API key to perform SpeakNotes actions such as creating notes, uploading content for processing, and retrieving note status or note data.

Why it was flagged

The skill requires a SpeakNotes API key that grants account-level access for the described service operations. This is expected for the integration and the artifact includes safeguards such as not logging keys and using the official API host.

Skill content
A SpeakNotes API key from `/settings/api-keys`... Store it as `SPEAKNOTES_API_KEY`... Send auth in `Authorization` header
Recommendation

Use a dedicated, revocable SpeakNotes API key, store it only in OpenClaw's secret manager or equivalent protected config, and revoke it when no longer needed.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Private audio, video, document content, or YouTube URLs selected for summarization may be transmitted to SpeakNotes for processing.

Why it was flagged

The skill sends user media or document bytes to a SpeakNotes-provided upload URL for processing. This is central to the skill's purpose and disclosed, but it is a meaningful data-sharing boundary.

Skill content
For upload flows, always: request signed URL - `PUT` bytes to signed URL - call complete endpoint - poll note status endpoint
Recommendation

Only use the skill for files or URLs you intend to share with SpeakNotes, and confirm sensitive documents before uploading them.