Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Podcast Agent
v1.0.2Search articles on any topic, generate a two-host dialogue script, and synthesize podcast audio via TTS. Turn long reads into listenable content.
⭐ 0· 33·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name and description match the included CLI script and SKILL.md: searching/fetching articles, producing a dialogue script, and synthesizing audio via edge-tts. However, requires.env lists a single entry 'edge-tts' which looks like a Python package name (or a mistake) rather than an environment variable or credential — this mismatch between stated metadata and actual needs is inconsistent.
Instruction Scope
SKILL.md instructs the agent to search web articles, fetch them, produce a JSON script, and call the included podcast_gen.py to synthesize with edge-tts. The included script enforces SSRF protections when fetching URLs, truncates content, and uses edge-tts and optionally ffmpeg for concatenation. The instructions don't ask for unrelated file reads or secret harvesting. Note: SKILL.md tells users to run 'pip install edge-tts' (network & package install).
Install Mechanism
There is no automatic install spec; this is an instruction-only skill with an included Python script. The only package referenced is edge-tts and pip install is suggested in SKILL.md — no remote arbitrary archive downloads or obscure URLs in the install path. That keeps install risk low, but manual installation of edge-tts (a third-party package) will contact PyPI and pull code.
Credentials
The skill declares a required environment variable named 'edge-tts'. The code never reads an env var named 'edge-tts' and instead imports the 'edge_tts' Python package at runtime. No credentials (API keys, tokens) are requested. Declaring an env var that isn't used is disproportionate and likely a metadata error — it could confuse users into setting secrets or indicate sloppy packaging. The skill will perform network I/O (fetch URLs, call Microsoft TTS endpoints via edge-tts) but does not request related credentials.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and does not request elevated system persistence. The code writes output into a local output/ directory and does not modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but there are no additional privilege escalations requested.
What to consider before installing
This skill appears to implement the podcast workflow it claims, but the metadata wrongly lists 'edge-tts' as a required environment variable even though the code imports the edge_tts Python package; this is likely a packaging/metadata error. Before installing or running: (1) treat it as code that will fetch arbitrary URLs and call network TTS services — avoid passing private/internal URLs or secrets; (2) inspect and, if necessary, run the script in a sandboxed environment; (3) install edge-tts from PyPI only if you trust that package (pip install edge-tts is suggested); (4) you don't need to set credentials for this skill as distributed, but verify whether you want to provide any API keys or private endpoints — the skill will not ask for them. If you plan to deploy widely, ask the author to fix the metadata (remove or correct the 'edge-tts' env var) so it's clear what secrets, if any, are required.Like a lobster shell, security has layers — review code before you run it.
latestvk97bem6a0tppj7jcc43axt5nyd842xaf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython
Envedge-tts