Voice Notes Pro
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears aligned with its stated purpose of transcribing WhatsApp voice notes into Markdown, but it handles private audio/transcripts and has setup/metadata details users should review.
Before installing, confirm you want WhatsApp voice notes sent to OpenAI and saved under the configured notes directories. Replace any example phone number or /root/notes paths with your own settings, secure the OPENAI_API_KEY, and consider disabling full transcript console logging if the notes may be sensitive.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private WhatsApp voice notes may be sent to OpenAI for transcription.
The code reads the local voice-note audio file and sends it to OpenAI's transcription API. This is expected for Whisper transcription, but it moves private audio content to an external provider.
const audioFile = await fs.readFile(audioPath);
const response = await client.audio.transcriptions.create({
file: audioFile,
model: CONFIG.whisper.model,
language: CONFIG.whisper.language,
});Use this only for audio you are comfortable sending to OpenAI, and review OpenAI account, retention, and privacy settings before enabling it.
Dictated tasks, contacts, shopping lists, or ideas may remain in Markdown files and application logs.
The skill stores transcribed note content in persistent Markdown files and logs the full transcription. Persistent storage is central to the skill, but logs can create an additional copy of sensitive content.
console.log(`? Transkrypcja: "${transcription}"`);
...
await appendToFile(filePath, content);Review log retention and notes-directory permissions; remove or reduce full-transcript logging if the notes may contain sensitive information.
The skill can spend quota and access transcription services through the user's OpenAI account.
The code requires an OpenAI API key from the environment. This is appropriate for the stated Whisper integration, but registry metadata declares no required env vars or primary credential.
const apiKey = process.env.OPENAI_API_KEY;
if (!apiKey) {
throw new Error('OPENAI_API_KEY not found in environment variables');
}Provide the API key through a secure environment variable, use an appropriately scoped account or budget limit, and do not hard-code credentials in skill files.
Installing dependencies and restarting OpenClaw can affect the local agent environment.
The skill asks the user to install npm dependencies and restart the gateway even though the registry install spec is empty. This is a normal setup pattern for a Node skill, but it is a supply-chain and local-runtime step users should notice.
cd ~/.openclaw/skills/voice-notes-pro npm install openclaw gateway restart
Review package.json, consider pinning dependencies with a lockfile, and run the install only from a trusted copy of the skill.