Pocket AI Transcripts
v1.0.0Read transcripts and summaries from Pocket AI (heypocket.com) recording devices. Use when users want to retrieve, search, or analyze their Pocket recordings, transcripts, summaries, or action items. Triggers on requests involving Pocket device data, conversation transcripts, meeting recordings, or audio note retrieval.
⭐ 1· 1.7k·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, and API usage (production.heypocketai.com) align with the included client code. However the SKILL.md and scripts require the separate 'browser' skill and Chrome to be run with a profile and remote debugging flags; those dependencies are not declared in the registry metadata. Asking to extract a Firebase bearer token from the browser is coherent for this purpose but should have been declared.
Instruction Scope
Runtime instructions explicitly tell the user to start Chrome with a profile and use a local browser-eval script to read IndexedDB and extract Firebase tokens. This is narrowly scoped to obtaining an auth token for Pocket, but it necessarily grants the skill access to browser storage (which can contain other credentials). The instructions save tokens to ~/.pocket_token.json. There are no suggestions in SKILL.md to limit the profile used or isolate the browser, nor warnings about the sensitivity of IndexedDB access.
Install Mechanism
There is no remote install/download; the skill is instruction + a local python script. No external archives or runtime downloads are invoked by an install spec. This keeps install-time risk low. The script does invoke subprocesses to call the local 'browser' skill's JS files.
Credentials
No env vars or credentials are declared, which matches registry metadata, but the code requires access to a Chrome user profile and the browser-eval scripts under ~/.factory/skills/browser or ~/.claude/skills/browser. Extracting Firebase tokens from the browser is sensitive and granting remote-debugging access to Chrome may expose other site tokens/cookies if not performed on an isolated profile. The skill writes the token to ~/.pocket_token.json (expires in ~1 hour); presence of this file is additional sensitive state.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and stores only a short-lived token in the user's home directory. It does not request system-wide persistent privileges.
What to consider before installing
This skill appears to do what it says (access Pocket transcripts) but it extracts a Firebase bearer token from your Chrome profile using remote debugging and a separate 'browser' skill. Before installing: (1) inspect the full reader.py and the browser-eval JS to confirm no unexpected network endpoints or data exfiltration; (2) run Chrome with an isolated/new profile (not your main profile) when extracting tokens; (3) review and, if desired, remove ~/.pocket_token.json after use and revoke sessions via Pocket if you suspect exposure; (4) ensure you trust the source repository (there is no declared homepage and the skill registry metadata omits the browser-skill dependency). If you can obtain a token via an official OAuth flow or the vendor's API, prefer that instead. Additional info (full, un-truncated reader.py and the referenced browser eval.js) would increase confidence in the assessment.Like a lobster shell, security has layers — review code before you run it.
latest
Pocket Transcripts
Read transcripts and summaries from Pocket AI devices via reverse-engineered API.
Quick Reference
| Function | Description |
|---|---|
get_recordings(days, limit) | List recent recordings |
get_recording_full(id) | Get transcript + summary + action items |
get_transcript(id) | Get raw transcript text |
get_summarization(id) | Get markdown summary |
search_recordings(query) | Search by text |
Setup (One-Time)
1. Start Chrome with User Profile
~/.factory/skills/browser/start.js --profile
# or
~/.claude/skills/browser/start.js --profile
2. Log into Pocket
Navigate to and log in:
~/.factory/skills/browser/nav.js https://app.heypocket.com
3. Extract Token
python3 scripts/reader.py extract
Token is saved to ~/.pocket_token.json and expires in 1 hour.
Usage
List Recordings
from pathlib import Path
import sys
sys.path.insert(0, str(Path.home() / '.claude/skills/pocket-transcripts/scripts'))
from reader import get_recordings, get_recording_full
recordings = get_recordings(days=30, limit=20)
for r in recordings:
print(f"{r.recorded_at:%Y-%m-%d} | {r.duration_str} | {r.title}")
Get Full Transcript and Summary
full = get_recording_full(recording_id)
print(f"Transcript ({len(full['transcript'])} chars):")
print(full['transcript'][:500])
print(f"\nSummary (markdown):")
print(full['summary'])
print(f"\nAction Items: {len(full['action_items'])}")
for item in full['action_items']:
print(f" - {item}")
Search Recordings
results = search_recordings("meeting", days=90)
for r in results:
print(f"{r.title} - {r.description[:100]}")
API Details
Base URL: https://production.heypocketai.com/api/v1
Auth: Firebase Bearer token from browser IndexedDB
Key Endpoints:
GET /recordings- List with pagination, filtersGET /recordings/{id}?include=all- Full data with transcript/summary
Data Structure:
- Transcript:
data.transcription.transcription.text - Summary:
data.summarizations[id].v2.summary.markdown - Action Items:
data.summarizations[id].v2.actionItems.items
Token Refresh
Firebase tokens expire in 1 hour. When expired:
- Ensure Chrome is running with
--profile - Confirm logged into app.heypocket.com
- Re-run:
python3 scripts/reader.py extract
Data Model
PocketRecording
id,title,descriptionduration(seconds),duration_str(human readable)recorded_at,created_athas_transcription,has_summarizationnum_speakerslatitude,longitude(if location enabled)tags(list of strings)
PocketSummarization
summary(markdown formatted)action_items(list)transcript(raw text)
Comments
Loading comments...