Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AssemblyAI advanced speech transcription
v1.0.1Transcribe, diarise, translate, post-process, and structure audio/video with AssemblyAI. Use this skill when the user wants AssemblyAI specifically, needs hi...
⭐ 3· 2.9k·7 current·7 all-time
byTristan Manchester@tristanmanchester
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name and description match what the code and SKILL.md implement: a Node CLI that uploads audio, calls AssemblyAI transcription and the AssemblyAI LLM Gateway, and renders various export formats. Required binary (node) and primary env var (ASSEMBLYAI_API_KEY) are appropriate and expected.
Instruction Scope
SKILL.md and the script direct the agent to upload local files to AssemblyAI, call AssemblyAI STT and LLM Gateway endpoints, and optionally send transcript text to the LLM Gateway for structured extraction. This is coherent for the stated features but has privacy implications: audio and transcript text will be transmitted to AssemblyAI/LLM Gateway. The CLI also supports raw request passthroughs (--request / --understanding-request / --config) which let callers send arbitrary JSON to the Gateway — expected for flexibility, but an agent could be instructed to transmit arbitrary content.
Install Mechanism
No install spec; this is an instruction-only skill with included Node scripts. It requires node on PATH; there is no remote code download or archive extraction at install time. Risk is limited to executing the included scripts at runtime (normal for a CLI skill).
Credentials
Only ASSEMBLYAI_API_KEY is required (primaryEnv). Optional ASSEMBLYAI_BASE_URL / ASSEMBLYAI_LLM_BASE_URL are documented for EU routing. No unrelated secrets or system config paths are requested.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. It does not modify other skills' configs. Autonomous invocation is allowed by default and is normal; nothing here compounds that into a broader privilege.
Scan Findings in Context
[system-prompt-override] expected: The SKILL.md contains detailed runtime instructions intended to guide an agent; regex-based detectors can flag such instructional content as 'system-prompt-override'. This appears to be usage guidance rather than an attempt to stealthily override the platform system prompt, but you should scan the SKILL.md for any explicit directives that would ask an agent to alter its global/system prompts or to exfiltrate data beyond the AssemblyAI workflow.
Assessment
This skill appears internally consistent with its stated AssemblyAI transcription and LLM-Gateway features. Before installing: (1) Ensure you trust the source — the included Node script will be executed and will upload any local audio you pass to AssemblyAI. (2) Do not pass sensitive audio or secrets unless you are comfortable them being processed by AssemblyAI/LLM Gateway. (3) Review the SKILL.md and scripts if you need to verify there are no additional outbound endpoints or instructions to read unrelated local files — the documented endpoints are AssemblyAI STT and LLM Gateway and the script only references those. (4) Note the CLI supports raw-request passthroughs that can send arbitrary JSON to the Gateway; only use those when you know what will be transmitted. If you want more assurance, request the skill from a verifiable homepage or vendor, or have someone audit the full scripts before granting runtime execution.scripts/assemblyai.mjs:23
Environment variable access combined with network send.
scripts/assemblyai.mjs:629
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk970kvbjqmz7vd2220564d443982x2hd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎙️ Clawdis
Binsnode
EnvASSEMBLYAI_API_KEY
Primary envASSEMBLYAI_API_KEY