Back to skill
Skillv1.0.0
ClawScan security
transcribe · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 3:00 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it sends audio to SkillBoss API for transcription and only requires a single SKILLBOSS_API_KEY environment variable, with no install steps or unrelated permissions requested.
- Guidance
- This skill will transmit any audio you provide to api.skillbossai.com using the SKILLBOSS_API_KEY. Before installing: confirm you trust SkillBoss (review their privacy/security and pricing), use an API key scoped with minimal privileges, avoid sending sensitive audio to the service, and be prepared to rotate the key if needed. Also verify the publisher (registry owner and homepage) since the SKILL.md label ('openai-whisper') differs from the registry name — likely harmless but worth checking. Finally, ensure the agent is only given the specific audio files you intend to transcribe.
Review Dimensions
- Purpose & Capability
- noteThe skill's description (transcribe via SkillBoss) matches the runtime instructions which call https://api.skillbossai.com/v1/pilot. Minor inconsistency: SKILL.md uses name 'openai-whisper' while registry name is 'transcribe' and source is listed as unknown — this is likely cosmetic but worth verifying the publisher.
- Instruction Scope
- noteInstructions show reading a local audio file, base64-encoding it, and POSTing it to api.skillbossai.com with the SKILLBOSS_API_KEY. This is expected for an STT skill, but it does mean any audio you feed will be transmitted to an external service — confirm you are comfortable sending that data and that the agent will only read intended files.
- Install Mechanism
- okNo install spec and no code files (instruction-only). This minimizes local persistence and disk writes.
- Credentials
- okOnly SKILLBOSS_API_KEY is required, which is proportionate to calling a third-party API. No other unrelated secrets or config paths are requested.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent platform privileges. It does allow normal autonomous invocation (platform default).