Plaud Unofficial Skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that can read the .env file may be able to access the user's Plaud recordings, transcripts, and summaries until the token expires or is revoked.
The skill requires copying a Plaud web bearer token into a local environment file. This is expected for the Plaud integration, but it grants account access to recordings and should be treated like a password/session credential.
`tokenstr` | Your bearer token ... Create or update the `.env` file ... `PLAUD_TOKEN=bearer eyJ...your_full_token_here...`
Store the .env file securely, do not share it, remove it when no longer needed, and refresh/revoke the Plaud session if the token may have been exposed.
A broad download may place many private voice recordings on the local machine, increasing exposure if the folder is synced, backed up, or shared.
The CLI includes a bulk download command. This is aligned with the stated purpose, but it can retrieve all Plaud audio files into local storage.
Download all recordings to a folder `python3 plaud_client.py download-all -o ./all_recordings`
Use bulk download only when needed, choose a private output directory, and confirm which recordings will be retrieved before running it.
Future dependency versions could differ from the reviewed environment and may affect reliability or security.
The skill instructs users to install Python dependencies, and the dependency versions are lower-bounded rather than pinned. The packages are common and purpose-aligned, but the install is not fully reproducible.
requests>=2.28.0 python-dotenv>=1.0.0
Install in a virtual environment and consider pinning reviewed dependency versions if using the skill regularly.