Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Scientific Podcast Summary
v1.0.0Automatically summarize scientific podcasts like Huberman Lab and Nature.
⭐ 0· 28·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description (summarize scientific podcasts) match the implementation: the package contains parsers for Huberman and Nature and a summary workflow that calls an LLM. However the registry metadata claims no required environment variables while SKILL.md and scripts/main.py require an OPENAI_API_KEY (and optionally OPENAI_BASE_URL / OPENAI_MODEL). That mismatch is an incoherence between declaration and actual capability.
Instruction Scope
SKILL.md instructs running scripts/main.py and documents the OPENAI_* env vars; the script scrapes remote podcast pages, reads environment variables, and sends scraped text to an external LLM API. That scope is appropriate for a summarizer, but SKILL.md and the code allow sending up to ~15k characters of scraped content to the LLM — a data-exfiltration / privacy risk if the content contains sensitive material. Also SKILL.md claims required env vars absent from registry metadata, granting the agent understated privileges.
Install Mechanism
No install spec in the registry (instruction-only) and dependencies are standard Python packages (requests, beautifulsoup4, openai). This is low install risk compared to arbitrary downloads or extract/install steps.
Credentials
The script legitimately needs an API key for an LLM (OPENAI_API_KEY). That single credential is proportionate to the stated purpose, but the registry says 'no required env vars' while SKILL.md and scripts/main.py require OPENAI_API_KEY (and optionally OPENAI_BASE_URL and OPENAI_MODEL). This omission is a notable inconsistency and could mislead users about what secrets the skill will use. No other unrelated credentials are requested.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges. It is an on-demand script that reads/writes files (output path) and performs network access to scrape pages and call an LLM; these are normal for its purpose.
What to consider before installing
Key things to consider before installing or running:
- The script requires an LLM API key (OPENAI_API_KEY) even though the registry metadata lists no required env vars — treat the mismatch as a red flag and confirm the author/publisher before supplying credentials.
- Running the skill will fetch and scrape podcast pages and send up to ~15k characters of text to the configured LLM endpoint. Do not supply sensitive or private content as input or allow the script to run on internal links.
- Review scripts/main.py locally (it is included) to verify there are no hidden endpoints or surprises. Running python -m py_compile scripts/main.py and python scripts/main.py --help are reasonable sanity checks (both are suggested by the package).
- Consider running the tool in an isolated environment (container or VM) and use a scoped API key with limited quota if possible. If your organization can provide an allow-listed endpoint or an audit log for the API key, prefer that.
- Confirm whether you want the default OPENAI_BASE_URL (https://api.openai.com/v1) or a custom base URL; the script will send content to whatever OPENAI_BASE_URL you set.
If you need a safer test: run the script with a fake OPENAI_API_KEY to confirm it fails cleanly, and inspect the output/fallback behavior. If you plan to use it in production, request the author to fix the registry metadata so required env vars are declared and consider adding explicit confirmation prompts before sending data to the LLM.Like a lobster shell, security has layers — review code before you run it.
latestvk972wf4bw7nb0am5zhnhxt6j5x840184
License
MIT-0
Free to use, modify, and redistribute. No attribution required.