Plaud Unofficial Skill
v1.0.1Use when accessing Plaud voice recorder data (recordings, transcripts, AI summaries) - guides credential setup and provides patterns for plaud_client.py
⭐ 3· 1.8k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and included files (plaud_client.py + API docs) align with the stated purpose of accessing Plaud recordings/transcripts. However, the registry metadata lists no required env vars while the runtime docs instruct you to add PLAUD_TOKEN and PLAUD_API_DOMAIN to a .env file—so the declared requirements do not match the actual usage.
Instruction Scope
SKILL.md instructs a manual interactive flow: open web.plaud.ai, use Chrome DevTools to read localStorage.tokenstr and copy it into a local .env file. That step asks the user to extract a bearer token from their browser (sensitive secret). The instructions stick to the skill's scope (accessing Plaud data) and do not instruct reading other system files, but they do direct storing a long-lived token in plaintext under ~/.claude/skills/plaud-api/.env which expands the attack surface if the machine is shared or compromised.
Install Mechanism
There is no external download/install mechanism beyond shipping the code in the skill and advising pip install -r requirements.txt. No remote arbitrary archive downloads or obscure third-party installers were found.
Credentials
The skill legitimately needs a Plaud bearer token to work, but the registry declares no required environment variables while SKILL.md asks for PLAUD_TOKEN and PLAUD_API_DOMAIN. Also the included client reads PLAUD_TOKEN but does not appear to read PLAUD_API_DOMAIN (it uses a region mapping or --region flag), so the docs and code disagree. Asking users to copy a bearer token (long-lived, ~10 months) into a local file is sensitive and should be justified and handled carefully.
Persistence & Privilege
The skill does not request always:true and will not be force-included for all agents. It only stores credentials in a skill-local .env file and does not modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but not combined with other high privileges.
What to consider before installing
This skill appears to be an unofficial, reverse-engineered Plaud client that generally matches its description, but exercise caution before installing or using it:
- Review the included plaud_client.py yourself (it's provided) and confirm all network endpoints are the official Plaud domains you expect. The code is readable and makes direct requests to api-euc1.plaud.ai and related endpoints documented in PLAUD_API.md.
- Be aware SKILL.md directs you to extract a bearer token from your browser localStorage and paste it into a plaintext .env file under the skill folder. That token is long-lived and grants access to your recordings and transcripts—only do this on a machine you control and trust.
- Note the mismatch: registry metadata declares no required env vars, SKILL.md asks for PLAUD_TOKEN and PLAUD_API_DOMAIN, but plaud_client.py uses a region mapping/--region flag rather than reading PLAUD_API_DOMAIN from the environment. This likely indicates sloppy documentation rather than malicious behavior, but it is an incoherence you should confirm before trusting automation.
- If you decide to proceed: restrict file permissions on the .env (chmod 600), keep backups secure, delete the token from browser/localStorage if you rotate it later, and consider creating a limited/rotatable credential if Plaud supports it. If unsure, prefer manually running the included script rather than granting the skill autonomous access.Like a lobster shell, security has layers — review code before you run it.
latestvk978rnqckrv4p64frxh72mr0g97zyee0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.