Is transcriptapi safe?

https://clawhub.ai/therohitdas/transcriptapi

78
CAUTION

TranscriptAPI is a legitimate YouTube transcript/search skill with a freemium commercial model. The primary concerns are: (1) an executable auth script that sends user email to a third-party service and writes to shared config, (2) a dynamic OpenAPI spec reference that could enable instruction injection if the server is compromised, and (3) the OpenClaw runtime reads sensitive dotfiles during installation. No malicious behavior was detected, but the combination of code execution, external data flows, and server-controlled behavior warrants caution.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 68/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (9)

MEDIUM Auth script sends user email to third-party service -15

The tapi-auth.js register command sends the user's email address to transcriptapi.com/api/auth/register-cli. While this is part of the disclosed account creation flow, it constitutes user PII leaving the machine to a third-party endpoint.

MEDIUM External OpenAPI spec reference enables dynamic instruction injection -15

SKILL.md instructs the agent to consult transcriptapi.com/openapi.json for 'the latest parameters and schemas'. If that endpoint is compromised or modified, it could inject new instructions into the agent's context without updating the skill package.

LOW Proactive behavior trigger without explicit user instruction -10

SKILL.md instructs the agent to automatically fetch transcripts and summarize when a user shares a YouTube URL with no instruction. This overrides the principle of only acting on explicit requests.

MEDIUM Executable script writes to shared config and makes network requests -22

tapi-auth.js is a 300+ line Node.js script that the skill instructs the agent to execute. It writes API keys to ~/.openclaw/openclaw.json and makes authenticated HTTP requests to transcriptapi.com. While the code appears legitimate upon review, it represents a non-trivial executable surface.

LOW API key stored in shared config file accessible to other skills -10

The TRANSCRIPT_API_KEY is saved to ~/.openclaw/openclaw.json, a shared configuration file. Any other installed skill with filesystem read access could extract this key.

LOW Runtime environment reads sensitive dotfiles during install -10

Filesystem monitoring shows reads of .env, .aws/credentials, .profile, and .bashrc during the install phase. These appear to be from the OpenClaw runtime rather than the skill itself, but the skill benefits from this environment context.

INFO Clean clone with no unexpected network or process activity -10

No network connections, no firewall blocks, no unexpected processes during clone. All filesystem activity is attributable to standard system and OpenClaw runtime operations.

INFO Commercial skill with freemium upsell model -15

The skill is designed to drive user signups and credit purchases for transcriptapi.com. This is a legitimate business model but means the skill author has financial incentive to maximize data collection and API usage.

MEDIUM Server-side behavior can change without skill update -20

Both the OpenAPI spec reference and the auth endpoints are server-controlled. The skill author could modify server behavior (e.g., what data the auth flow collects, what the API returns) without publishing a new skill version.