Openclaw Podcast
PassAudited by ClawScan on May 10, 2026.
Overview
No clear malicious behavior was found, but the skill works by sending workspace context to Superlore and can save an API key and create recurring podcast jobs.
Before installing, decide whether your workspace memory is appropriate to send to Superlore, confirm episodes are private, and review any cron jobs or shell-profile changes the setup wizard proposes. The visible behavior is disclosed and aligned with podcast generation, but it handles sensitive work context and persistent scheduling.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Podcast episodes may be based on sensitive project notes, priorities, metrics, or blockers from your workspace.
The skill explicitly reads workspace memory files and uses the Superlore API to generate podcast briefings, so private work context may leave the local workspace.
network: "HTTPS requests to superlore-api.onrender.com" ... filesystem: "Reads workspace files (memory/*.md, JOBS.md, HEARTBEAT.md, MEMORY.md)."
Use this only in workspaces whose contents you are comfortable sending to Superlore. Review dry-run output where available, avoid storing secrets in memory files, and verify episodes are created as private.
Anyone or any process that can read your shell profile may be able to access the Superlore API key.
The setup wizard can store the Superlore API key in the user's shell startup file so future runs can authenticate.
fs.appendFileSync(rcFile, `\n# Superlore Podcast Briefings\nexport SUPERLORE_API_KEY="${apiKey}"\n`);Save the key to your shell profile only if you are comfortable with that persistence. Keep file permissions tight and rotate the key if it is exposed.
If scheduled, the skill may continue generating podcast episodes and sending workspace context on the configured cadence.
The skill supports recurring scheduled podcast generation, which is disclosed and user-confirmed but creates ongoing automated activity.
cron: "Setup wizard outputs openclaw cron commands for scheduling. Runs them only with explicit user confirmation."
Confirm the exact schedule before enabling it, periodically review configured OpenClaw cron jobs, and remove schedules you no longer want.
Running the setup wizard may execute local scheduling commands, not just print instructions.
The setup script imports Node's child_process functionality, and the static scan also reported shell command execution in this file.
const { execFileSync } = require('child_process');Run the setup script only from a trusted checkout, read any commands it proposes before confirming, and add cron jobs manually if you prefer stricter control.