yt
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the TranscriptAPI key for requests, which may consume credits tied to the user’s account.
The skill requires a bearer API credential and can help create the service account/key. This is expected for the TranscriptAPI integration, but it is still sensitive authority.
name: TRANSCRIPT_API_KEY
prompt: Your TranscriptAPI key (starts with sk_)
help: Free account at https://transcriptapi.com — 100 credits, no card required. Or let the agent create one for you.
required_for: all API requestsUse a dedicated TranscriptAPI key, store it through the platform’s secret or environment-variable mechanism, and revoke or rotate it if it is exposed.
The API key may remain available to future agent sessions or local commands until the user removes it.
The setup may modify local shell or agent configuration so the key persists. This is disclosed and aligned with setup, but the storage location and scope should be verified.
Store it persistently using whatever method is correct for this environment ... available in future sessions, including non-interactive shells, without any manual sourcing step from the user.
Confirm where the key will be stored, prefer a secure secret store over broad shell profiles, and remove temporary files or config entries when no longer needed.