Video Transcribe
ReviewAudited by ClawScan on May 10, 2026.
Overview
The local transcription script looks appropriate, but the skill’s optional AI Edit instructions can expose a configured API key and upload media to a remote service.
The core `scripts/transcribe.sh` behavior appears suitable for local transcription with ffmpeg and Whisper. Before using the optional AI Edit section, do not run the API-key check as written, confirm you trust the remote endpoint, and only upload media files with explicit consent.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user who follows the AI Edit setup instructions could accidentally reveal their API key.
The stated purpose is to check whether the key is configured, but this Bash expansion prints the actual SPARKI_API_KEY when set. That can expose a live credential in terminal output, agent logs, or transcripts.
echo "Key: ${SPARKI_API_KEY:+configured}${SPARKI_API_KEY:-MISSING}"
openclaw config set env.SPARKI_API_KEY "sk_live_your_key_here"Do not run the key-check line as written. Replace it with a check that only prints configured/MISSING, and avoid pasting live keys into commands or logs.
If the AI Edit workflow is used, the selected video or audio file leaves the local machine and is processed by a remote service.
The optional AI Edit workflow uploads a selected local media file to an external API. This is disclosed, but it is separate from the core local transcription behavior.
SPARKI_API_BASE="https://agent-api-test.aicoding.live/api/v1"
UPLOAD_RESP=$(curl -sS -X POST "${SPARKI_API_BASE}/business/assets/upload" \
-H "X-API-Key: $SPARKI_API_KEY" -F "file=@${FILE_PATH}")Use the core transcribe script for local-only transcription. Only use AI Edit after explicit user approval, and verify the endpoint and provider before uploading media.