transcriptapi
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: transcriptapi Version: 1.5.0 The transcriptapi skill provides a toolkit for interacting with YouTube data via transcriptapi.com, covering transcripts, search, and channel metadata. It includes a detailed authentication setup guide (references/auth-setup.md) that helps users register for an API key directly through the agent. While the setup instructions include techniques to bypass agent-level redaction of secrets (e.g., writing API keys to temporary files to ensure the agent can read them), these are explicitly documented as functional workarounds for specific agent environments like Hermes or Claude Code. The code logic and instructions are consistent with the stated purpose of providing a managed YouTube data service and do not exhibit signs of data exfiltration or unauthorized execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may send a query or video-related request to TranscriptAPI and consume API credits in tasks where YouTube is only tangentially relevant.
The invocation guidance is broad and could cause the agent to bring in YouTube/TranscriptAPI even when the user did not explicitly ask for it. This is still related to the skill's stated purpose, so it is a notice rather than a concern.
Use when YouTube is or could be relevant — even if not mentioned
If you want tighter control, tell the agent to ask before using TranscriptAPI unless you explicitly request YouTube or video research.
Search terms, video URLs, channel handles, and similar inputs may be sent to transcriptapi.com, and repeated calls may use credits.
The skill documents external HTTP API calls that can consume TranscriptAPI credits. These calls are central to the skill's purpose and are disclosed.
GET /api/v2/youtube/search — 1 credit
Use normal care with private queries and ask the agent to limit pagination or bulk searches if credit use matters.
The agent will handle a TranscriptAPI credential that can use your account's API credits.
The setup flow asks the user for an API key or permission to create an account using their email and OTP. This is expected for this API integration and is user-directed.
If yes, paste your API key and I'll set it up. If not, I can create a free account for you right now
Only provide a TranscriptAPI key you are willing to use with this agent, and revoke or rotate the key if you no longer trust the environment.
The API key may remain available to future agent sessions, and mishandled temporary files could expose the credential locally.
The guide instructs the agent to place auth responses containing tokens or API keys in temporary files and then persist the API key for future sessions. It also instructs cleanup, which reduces but does not eliminate the need for user awareness.
save the raw response body to a temporary file... Store it persistently using whatever method is correct for this environment... Clean up any temporary files
Prefer a dedicated secret manager or scoped environment-secret mechanism, and confirm temporary files are deleted after setup.