ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

audio-transcribe

v1.0.0

Transcribe, diarise, translate, post-process, and structure audio/video with AssemblyAI. Use this skill when the user wants AssemblyAI specifically, needs hi...

0· 72·0 current·0 all-time
by@tobeyrebecca

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tobeyrebecca/toby-audio-transcribe.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "audio-transcribe" (tobeyrebecca/toby-audio-transcribe) from ClawHub.
Skill page: https://clawhub.ai/tobeyrebecca/toby-audio-transcribe
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: SKILLBOSS_API_KEY
Required binaries: node
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install tobeyrebecca/toby-audio-transcribe

ClawHub CLI

Package manager switcher

npx clawhub@latest install toby-audio-transcribe
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description and many assets claim AssemblyAI integration and show AssemblyAI endpoints and env names (ASSEMBLYAI_API_KEY), but the runnable code sets the API base to https://api.heybossai.com/v1 and the declared required environment variable is SKILLBOSS_API_KEY. Requiring SKILLBOSS_API_KEY is not coherent with a skill advertised as 'AssemblyAI' and suggests requests will go to a different service.
!
Instruction Scope
SKILL.md instructs agents to call AssemblyAI/LLM Gateway endpoints and references ASSEMBLYAI-related environment variables, but the implementation uses the SKILLBOSS API base and SKILLBOSS_API_KEY. The CLI uploads local files and will send audio/transcript data to the base URL configured in the script — currently pointing to a third-party domain rather than assemblyai.com. The skill also exposes raw request passthroughs (e.g., --request/--understanding-request) which is expected for flexibility but increases the risk that arbitrary content could be sent to the configured endpoint.
Install Mechanism
No install spec; it is an instruction-only Node.js CLI and only requires the 'node' binary. That is proportionate for a Node-based CLI skill.
!
Credentials
The skill requires a single env var named SKILLBOSS_API_KEY (declared as primary). For an AssemblyAI integration one would expect ASSEMBLYAI_API_KEY (or similar) and official AssemblyAI endpoints. Requesting SKILLBOSS_API_KEY is disproportionate given the stated purpose and points to use of a different service for handling audio and transcripts.
Persistence & Privilege
The skill does not request always:true and does not appear to modify other skills' configs. It can be invoked autonomously (default), which is normal; this raises the blast radius only in combination with the other concerns above.
Scan Findings in Context
[system-prompt-override] unexpected: A prompt-injection pattern was detected in SKILL.md. The skill's instructions are long and agent-directed (intended for other agents), increasing the potential impact of any prompt-injection content. This is not expected for a simple transcription helper and is worth attention.
What to consider before installing
Do not install or provide credentials until this mismatch is resolved. The skill advertises AssemblyAI but its script points to https://api.heybossai.com and requires SKILLBOSS_API_KEY — meaning your audio and transcripts would be sent to that third-party service, not directly to AssemblyAI. Ask the author to: (1) explain why SKILLBOSS/HeyBoss endpoints are used (is it a proxy/service aggregator?), (2) provide a clear privacy/data-flow statement, and (3) offer an option to use native AssemblyAI endpoints and the official ASSEMBLYAI_API_KEY. If you cannot verify the endpoint and operator, run the skill only in an isolated environment or prefer an alternative skill that explicitly uses assemblyai.com and the official AssemblyAI credential. Also be cautious because the SKILL.md contains long agent-facing instructions (and a detected system-prompt-override pattern), which increases risk if combined with an untrusted remote endpoint.
scripts/assemblyai.mjs:28
Environment variable access combined with network send.
!
scripts/assemblyai.mjs:625
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎙️ Clawdis
Binsnode
EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY
aivk9780r89n9sabb50p061zz16m984t6vxautomationvk9780r89n9sabb50p061zz16m984t6vxlatestvk9780r89n9sabb50p061zz16m984t6vx
72downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@tobeyrebecca
aiautomationlatest
Download

📖 Complete setup guide: https://skillboss.co/skill.md

AssemblyAI transcription, Speech Understanding, and agent-friendly exports

Use this skill when the user wants AssemblyAI rather than generic transcription, or when the job benefits from AssemblyAI-specific capabilities such as:

  • model routing across universal-3-pro and universal-2
  • language detection and code switching
  • diarisation plus speaker name / role mapping
  • translation, custom formatting, or AssemblyAI speaker identification
  • subtitles, paragraphs, sentences, topic / entity / sentiment tasks
  • transcript output that is easy for other agents to consume as Markdown or normalised JSON

The skill is designed for AI agents like OpenClaw, not just end users. It provides:

  1. A no-dependency Node CLI in scripts/assemblyai.mjs (and a compatibility wrapper at assemblyai.mjs)
  2. Bundled model/language knowledge via models and languages commands
  3. Stable transcript output formats
    • agent-friendly Markdown
    • normalised agent JSON
    • bundle manifests for downstream automation
  4. Speaker mapping workflows
    • manual speaker/channel maps
    • AssemblyAI speaker identification
    • merged display names in both Markdown and JSON
  5. AssemblyAI LLM Gateway integration for structured extraction from transcripts

Use this skill in this order

1) Decide whether the user needs AssemblyAI-specific behaviour

If they just want “a transcript”, a generic solution may be enough. Reach for this skill when the user mentions AssemblyAI, wants a specific AssemblyAI feature, or needs the richer outputs and post-processing this skill provides.

2) Pick the best entry point

  • New transcriptiontranscribe
  • Existing transcript idget or wait
  • Re-render existing saved JSONformat
  • Post-process an existing transcriptunderstand
  • Run transcript text through LLM Gatewayllm
  • Need a quick capability lookup before decidingmodels or languages

3) Prefer the agent-friendly defaults

For most unknown-language or mixed-language jobs, prefer:

node {baseDir}/assemblyai.mjs transcribe INPUT   --bundle-dir ./assemblyai-out   --all-exports

Why:

  • the CLI defaults to auto-best routing when models are not specified
  • it writes a manifest + multiple files that agents can inspect without reparsing terminal output
  • Markdown and agent JSON become available immediately for follow-on steps

Quick-start recipes

Best general default

Use this when the source language is unknown or could be outside the 6-language Universal-3-Pro set:

node {baseDir}/assemblyai.mjs transcribe ./meeting.mp3   --bundle-dir ./out   --all-exports

This defaults to model routing plus language detection unless the request already specifies a model or language.

Best known-language accuracy

If the language is known and supported by Universal-3-Pro, prefer an explicit request:

node {baseDir}/assemblyai.mjs transcribe ./meeting.mp3   --speech-model universal-3-pro   --language-code en_us   --bundle-dir ./out

Meeting / interview with speaker labels

node {baseDir}/assemblyai.mjs transcribe ./meeting.mp3   --speaker-labels   --bundle-dir ./out

Add explicit speaker names or roles

Manual mapping:

node {baseDir}/assemblyai.mjs transcribe ./meeting.mp3   --speaker-labels   --speaker-map @assets/speaker-map.example.json   --bundle-dir ./out

AssemblyAI speaker identification:

node {baseDir}/assemblyai.mjs transcribe ./meeting.mp3   --speaker-labels   --speaker-type role   --known-speakers "host,guest"   --bundle-dir ./out

Or post-process an existing transcript:

node {baseDir}/assemblyai.mjs understand TRANSCRIPT_ID   --speaker-type name   --speaker-profiles @assets/speaker-profiles-name.example.json   --bundle-dir ./out

Translation

node {baseDir}/assemblyai.mjs transcribe ./meeting.mp3   --translate-to de,fr   --match-original-utterance   --bundle-dir ./out

Structured extraction through LLM Gateway

node {baseDir}/assemblyai.mjs llm TRANSCRIPT_ID   --prompt @assets/example-prompt.txt   --schema @assets/llm-json-schema.example.json   --out ./summary.json

Command guidance

transcribe

Use for local files or remote URLs.

  • Local files are uploaded first.
  • Public URLs are sent directly to AssemblyAI.
  • Waits by default, then renders output.

Prefer --bundle-dir for anything longer than a trivial clip.

get / wait

Use when you already have the transcript id. wait blocks until completion; get fetches immediately unless you add --wait.

format

Use when you already saved:

  • raw transcript JSON from AssemblyAI, or
  • the normalised agent JSON produced by this skill

This is useful when you want to apply a new speaker map, re-render Markdown, or generate a fresh bundle without retranscribing.

understand

Use when you need AssemblyAI Speech Understanding on an existing transcript:

  • translation
  • speaker identification
  • custom formatting

This command fetches the transcript, merges in the returned understanding results, then renders updated Markdown / agent JSON / bundle outputs.

llm

Use when the user wants:

  • summaries
  • extraction
  • structured JSON
  • downstream reasoning over the transcript

Prefer --schema when the next step is automated.

Output strategy

Best default for agents: bundle mode

--bundle-dir writes a directory containing:

  • Markdown transcript
  • agent JSON
  • raw JSON
  • optional paragraphs / sentences / subtitles
  • a machine-readable manifest

This is usually better than dumping everything to stdout.

Primary output kinds

Use --export to choose the main output:

  • markdown (default)
  • agent-json
  • json / raw-json
  • text
  • paragraphs
  • sentences
  • srt
  • vtt
  • manifest

Sidecar outputs

You can request extra files directly with:

  • --markdown-out
  • --agent-json-out
  • --raw-json-out
  • --paragraphs-out
  • --sentences-out
  • --srt-out
  • --vtt-out
  • --understanding-json-out

Speaker mapping rules

Speaker display names are merged in this order:

  1. manual --speaker-map
  2. AssemblyAI speaker identification mapping
  3. fallback generic names like Speaker A or Channel 1

This means you can let AssemblyAI identify speakers first, then still override individual display names later.

Example manual map file: assets/speaker-map.example.json

Model and language lookup

Before choosing parameters, inspect the bundled reference data:

node {baseDir}/assemblyai.mjs models
node {baseDir}/assemblyai.mjs models --format json
node {baseDir}/assemblyai.mjs languages --model universal-3-pro
node {baseDir}/assemblyai.mjs languages --model universal-2 --codes --format json

The bundled data lives in:

  • assets/model-capabilities.json
  • assets/language-codes.json

Important operating notes

  • Keep API keys out of chat logs; use environment injection.
  • Use the EU AssemblyAI base URL when the user explicitly needs EU processing.
  • Uploads and transcript creation must use API keys from the same AssemblyAI project.
  • Prefer --bundle-dir or --out for long outputs.
  • The CLI is non-interactive and sends diagnostics to stderr, which makes it easier for agents to script reliably.
  • Use raw --config or --request when you need a newly added AssemblyAI parameter that this skill has not exposed yet.

Reference files

Read these when you need more depth:

Key bundled files

  • assemblyai.mjs — root wrapper for compatibility with the original skill
  • scripts/assemblyai.mjs — main CLI
  • assets/speaker-map.example.json
  • assets/speaker-profiles-name.example.json
  • assets/speaker-profiles-role.example.json
  • assets/custom-spelling.example.json
  • assets/llm-json-schema.example.json
  • assets/transcript-agent-json-schema.json

Sanity checks before finishing a task

  • Did you pick the right region (api.assemblyai.com vs api.eu.assemblyai.com)?
  • Did you choose a model strategy that matches the language situation?
  • If speaker naming matters, did you enable diarisation and/or provide a speaker map?
  • If the result will feed another agent, did you produce Markdown and/or agent JSON rather than only raw stdout?
  • If the transcript will be machine-consumed, did you keep the manifest or explicit output filenames?

Comments

Loading comments...