Voicenotes

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI03: Identity and Privilege Abuse

What this means

Anyone or anything with this token may be able to retrieve your Voicenotes data through the API.

Why it was flagged

The skill explicitly requires an API token to access the user's Voicenotes account. This is expected for the integration and no unrelated token use is shown, but the token grants access to account data and recordings.

Skill content

Set environment variable: `export VOICENOTES_TOKEN="your-token-here"` ... Headers required: `Authorization: Bearer {token}` ... `X-API-KEY: {token}`

Recommendation

Use a dedicated/revocable Voicenotes token if available, keep it out of shared logs and repositories, and revoke it if you stop using the skill.

Note

ASI06: Memory and Context Poisoning

What this means

Private transcripts and summaries may remain in your workspace and could later be searched, read by tools, backed up, or committed accidentally.

Why it was flagged

The sync script persists transcripts and AI-created content as markdown files. This is central to the skill's purpose, but it creates local copies of potentially sensitive voice-note content.

Skill content

OUTPUT_DIR="${VOICENOTES_OUTPUT_DIR:-./voicenotes}" ... cat > "$FILEPATH" << EOF ... ## Transcript

${TRANSCRIPT}

${CREATIONS}

Recommendation

Choose a private output directory, avoid syncing these files to public repositories, and delete or protect the markdown copies when no longer needed.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installation or first use may fail unless you manually set the token and have jq available for markdown sync.

Why it was flagged

The registry metadata does not declare the token or jq setup requirements, even though the provided instructions and scripts require them. This is an under-declared setup issue, not hidden behavior, because the artifacts disclose the requirements.

Skill content

Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none

Recommendation

Before using the skill, set VOICENOTES_TOKEN as described in SKILL.md and ensure jq is installed if you plan to sync to markdown.