Podcastifier
v0.1.0Turn incoming text (email/newsletter) into a short TTS podcast with chunking + ffmpeg concat.
⭐ 0· 696·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required binaries (python3, ffmpeg), and included code all align with a local TTS + ffmpeg concat utility. The README and SKILL.md describe the same feature set implemented by podcastify.py.
Instruction Scope
Runtime instructions and code stay within the stated purpose (read input, chunk, synthesize per chunk, concat). Minor concerns: synthesize() is a placeholder and does not implement a real TTS provider; README mentions optional Signal/Telegram delivery hook that is not implemented (scope mismatch). The script uses deprecated/insecure tempfile.mktemp which can be vulnerable to race/symlink attacks — this is a safety/coding-quality issue rather than evidence of malicious intent.
Install Mechanism
No install spec — instruction-only with a small Python script and dependency on ffmpeg. Nothing is downloaded or executed from arbitrary URLs.
Credentials
The skill declares no required env vars (and the code does not read any). README mentions supplying a TTS API key via env for a real provider, but that is not implemented or declared in metadata — the discrepancy is informational, not an immediate risk. If you wire a real TTS provider, you'll need to provide that provider's credentials.
Persistence & Privilege
Skill does not request persistent presence (always=false), does not modify other skills or system configs, and requires no special config paths.
Assessment
This skill appears to do what it says: split text, create temporary WAVs, and concat them with ffmpeg. Before installing/using: (1) be aware the script is a skeleton — you must implement a real TTS provider and supply its API key (store keys securely; the skill does not declare env vars). (2) The code uses tempfile.mktemp (insecure) to create temp files — consider replacing with tempfile.mkstemp or tempfile.NamedTemporaryFile to avoid race/symlink attacks. (3) The README mentions a Signal/Telegram delivery hook, but no such code is present; treat that as an unimplemented feature. (4) Because it runs ffmpeg and writes temp files, avoid running this on sensitive or untrusted input without auditing changes you make for provider wiring. Overall the package is coherent and not requesting unrelated credentials or network endpoints.Like a lobster shell, security has layers — review code before you run it.
latestvk970npnf056ht56hbhcw00xzpd81a6nb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3, ffmpeg