Plaud Unofficial Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: plaud-unofficial Version: 1.0.1 The skill is designed to interact with the Plaud API to manage voice recordings, transcripts, and AI summaries. The `SKILL.md` provides clear, explicit instructions for the user to obtain credentials from the Plaud web app's local storage and set them up in a local `.env` file. The `plaud_client.py` script correctly loads these credentials, makes API calls only to the expected Plaud domains (`*.plaud.ai`), and handles file downloads with basic sanitization. There is no evidence of prompt injection against the agent, data exfiltration, malicious execution, persistence mechanisms, or obfuscation. All actions are aligned with the stated purpose of accessing Plaud data.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that can read the .env file may be able to access the user's Plaud recordings, transcripts, and summaries until the token expires or is revoked.
The skill requires copying a Plaud web bearer token into a local environment file. This is expected for the Plaud integration, but it grants account access to recordings and should be treated like a password/session credential.
`tokenstr` | Your bearer token ... Create or update the `.env` file ... `PLAUD_TOKEN=bearer eyJ...your_full_token_here...`
Store the .env file securely, do not share it, remove it when no longer needed, and refresh/revoke the Plaud session if the token may have been exposed.
A broad download may place many private voice recordings on the local machine, increasing exposure if the folder is synced, backed up, or shared.
The CLI includes a bulk download command. This is aligned with the stated purpose, but it can retrieve all Plaud audio files into local storage.
Download all recordings to a folder `python3 plaud_client.py download-all -o ./all_recordings`
Use bulk download only when needed, choose a private output directory, and confirm which recordings will be retrieved before running it.
Future dependency versions could differ from the reviewed environment and may affect reliability or security.
The skill instructs users to install Python dependencies, and the dependency versions are lower-bounded rather than pinned. The packages are common and purpose-aligned, but the install is not fully reproducible.
requests>=2.28.0 python-dotenv>=1.0.0
Install in a virtual environment and consider pinning reviewed dependency versions if using the skill regularly.