ClawHub

Openclaw Podcast

v1.2.0

Transform your OpenClaw workspace into personalized AI-powered podcast briefings. Get daily audio updates on your work, priorities, and strategy in 8 compell...

0· 498·0 current·0 all-time
bySuperlore@adamjurgens
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description match its main requirements: it needs a SUPERLORE_API_KEY and network access to the Superlore API and reads workspace files (memory/*.md, JOBS.md, etc.) to build episode prompts. However, the scripts also read USER.md, workspace fallbacks under ~/.openclaw, and global podcast-styles under ~/.openclaw — behavior not explicitly enumerated in the high-level description. The setup wizard also offers to write the API key into ~/.zshrc or ~/.bashrc (this is declared in SKILL.md, but is an extra privilege beyond simple episode generation).
!
Instruction Scope
SKILL.md and references explicitly describe sending workspace content to Superlore and scheduling via cron. The shipped scripts, however, let you override the API URL (--api-url), load global and workspace-level custom styles (~/.openclaw/podcast-styles and workspace/podcast-styles), and read USER.md — i.e., they can read files beyond the four listed memory files. The setup wizard prompts to append the API key to shell profiles and may execute system commands (child_process.execFileSync is imported in setup-crons.js). These capabilities expand the data surface and scope of actions the skill can take if run interactively or if an operator supplies different arguments.
Install Mechanism
No install spec (instruction-only plus scripts). That minimizes risk from downloading arbitrary archives. The scripts use only Node built-ins (https, fs, path, child_process), and there is no remote code fetch in the install step.
Credentials
Only SUPERLORE_API_KEY is declared required, which is appropriate for a third‑party TTS/API integration. However, the setup wizard can write that key into shell RC files (persisting it on disk), and the code inspects HOME and SHELL environment variables and global config paths (~/.openclaw). Those behaviors increase the impact of granting the single API key (and persisting it broadly) and should be considered when deciding where/how to store credentials.
!
Persistence & Privilege
The skill does not force persistence via always:true, but the setup wizard offers to persist the API key to ~/.zshrc or ~/.bashrc and emits cron commands to schedule recurring episode generation. The code also looks for global custom styles in ~/.openclaw and may execute system commands (execFileSync imported). These are legitimate setup conveniences but are higher‑privilege actions (file writes and possible command execution) that require explicit user confirmation — ensure you review and approve any such steps before consenting.
What to consider before installing
This skill mostly does what it says: it reads your OpenClaw workspace and sends that content to Superlore.ai to produce TTS episodes. Before installing or running the setup wizard: - Review the scripts (generate-episode.js and setup-crons.js) yourself. They are included and use only Node built-ins, so you can audit what they read and write. - Be aware that running the setup wizard can append your SUPERLORE_API_KEY to ~/.zshrc or ~/.bashrc (persisting the key). Only allow that if you trust storing the key on disk. - The tool will send the contents of your workspace (potentially large / sensitive text) to the Superlore API — consider using a dedicated API key or an account with limited privileges, or avoid saving personal secrets in the briefing data. - The scripts allow overriding the API URL (--api-url). When running them, avoid pointing to unknown endpoints to prevent inadvertent data exfiltration. - The setup wizard imports child_process.execFileSync and may run system commands to help install cron jobs; do not allow it to run commands unless you inspect the commands it will run. Prefer to copy/paste the printed cron commands and run them yourself. If you want lower risk: use the skill in dry-run mode (preview prompts), create a dedicated Superlore API key with limited allowed quota, and do not accept the option to write the key to your shell profile.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b80ae9gvsyt9cz5ryw5ytf581qkzm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Env[object Object]

Comments