AssemblyAI advanced speech transcription
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: assemblyai-transcribe Version: 1.0.1 The skill is a legitimate and well-structured integration for AssemblyAI services, providing tools for transcription, speaker diarization, and LLM-based transcript analysis. The core logic in `scripts/assemblyai.mjs` uses standard Node.js modules to interact with official AssemblyAI API endpoints (e.g., api.assemblyai.com and llm-gateway.assemblyai.com) and includes robust error handling and retry logic. There is no evidence of malicious intent, data exfiltration, or prompt injection; the ability to read local files via the '@' prefix is a documented feature for loading configuration and prompts necessary for the skill's operation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your AssemblyAI account quota and access transcript jobs available to that API key.
The CLI uses an AssemblyAI API key from an environment variable or flag to authenticate provider requests, which is expected for this service integration.
const apiKey = String(flags['api-key'] ?? process.env.ASSEMBLYAI_API_KEY ?? '');
Use a scoped AssemblyAI key where possible, keep it in the environment rather than prompts, and revoke or rotate it if exposed.
Private meeting or media content may leave the local machine and be processed by AssemblyAI services.
Transcript text may be sent to AssemblyAI's LLM Gateway for summaries or structured extraction, which is disclosed and aligned with the skill purpose.
This skill therefore prepares transcript text and sends it to: - `https://llm-gateway.assemblyai.com/v1/chat/completions`
Only process audio, video, and transcripts you are allowed to send to AssemblyAI, and review prompts, schemas, and output files for sensitive information.
If used carelessly, an agent or user could send broader-than-intended request bodies or parameters to the provider.
Raw provider request passthroughs are explicitly documented and useful for advanced AssemblyAI parameters, but they bypass the safer predefined workflows.
This skill deliberately exposes raw passthrough options: - `--config` for transcription requests - `--understanding-request` for speech understanding - `--request` for LLM Gateway chat completions
Prefer the documented default commands unless you need a specific AssemblyAI parameter, and review any raw JSON request before sending it.
Users have less provenance information for deciding whether the bundled Node script is the intended implementation.
The registry metadata does not identify a source repository or homepage, although the skill includes bundled code and references AssemblyAI documentation in SKILL.md.
Source: unknown; Homepage: none
Install only from a trusted registry entry and review the bundled script before using it with sensitive media or production credentials.