Voicenotes
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: voicenotes Version: 1.0.0 The skill is benign. Its behavior is fully aligned with the stated purpose of syncing voice notes from Voicenotes.com. It uses `curl` to interact with the legitimate `api.voicenotes.com` endpoint, authenticating with a user-provided `VOICENOTES_TOKEN` environment variable, and writes the retrieved data to local markdown files. There is no evidence of data exfiltration to unauthorized destinations, malicious execution, persistence mechanisms, or prompt injection attempts in SKILL.md or the scripts. All network and file system operations are necessary for its described functionality.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or anything with this token may be able to retrieve your Voicenotes data through the API.
The skill explicitly requires an API token to access the user's Voicenotes account. This is expected for the integration and no unrelated token use is shown, but the token grants access to account data and recordings.
Set environment variable: `export VOICENOTES_TOKEN="your-token-here"` ... Headers required: `Authorization: Bearer {token}` ... `X-API-KEY: {token}`Use a dedicated/revocable Voicenotes token if available, keep it out of shared logs and repositories, and revoke it if you stop using the skill.
Private transcripts and summaries may remain in your workspace and could later be searched, read by tools, backed up, or committed accidentally.
The sync script persists transcripts and AI-created content as markdown files. This is central to the skill's purpose, but it creates local copies of potentially sensitive voice-note content.
OUTPUT_DIR="${VOICENOTES_OUTPUT_DIR:-./voicenotes}" ... cat > "$FILEPATH" << EOF ... ## Transcript
${TRANSCRIPT}
${CREATIONS}Choose a private output directory, avoid syncing these files to public repositories, and delete or protect the markdown copies when no longer needed.
Installation or first use may fail unless you manually set the token and have jq available for markdown sync.
The registry metadata does not declare the token or jq setup requirements, even though the provided instructions and scripts require them. This is an under-declared setup issue, not hidden behavior, because the artifacts disclose the requirements.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Before using the skill, set VOICENOTES_TOKEN as described in SKILL.md and ensure jq is installed if you plan to sync to markdown.