Skillv1.0.0

ClawScan security

AI播客生成器 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 20, 2026, 8:16 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions, required tools, and requested environment variables are coherent with a MagicPodcast integration, but there are metadata inconsistencies in the packaged files that merit further verification before installing.
Guidance: This skill appears to do what it claims: it asks for a source and language then posts to MagicPodcast endpoints using an API key. Before installing: 1) Verify the skill owner and slug/version mismatch (registry metadata vs _meta.json) — confirm you trust the publisher. 2) Make sure MAGICPODCAST_API_URL is the official API (https://api.magicpodcast.app) and obtain your API key from the official OpenClaw link shown in SKILL.md. 3) Keep sensitive documents local — the skill explicitly sends content to MagicPodcast; do not upload confidential files unless you're sure about the service's data handling. 4) Ensure curl and jq are available on the agent host. If you need higher assurance about provenance, ask the publisher to resolve the metadata inconsistencies and provide a clear owner ID before proceeding.

Review Dimensions

Purpose & Capability: noteThe name/description (PDF/text-to-podcast using MagicPodcast) match the declared requirements (curl, jq, MAGICPODCAST_API_URL, MAGICPODCAST_API_KEY) and the SKILL.md calls only MagicPodcast endpoints. However, package metadata inconsistencies exist: registry metadata lists ownerId 'kn75tsqd...' and slug 'delonix-ai-podcast' / version 1.0.0, while _meta.json shows ownerId 'kn79nyref...' slug 'ai-podcast' / version 1.0.11. This mismatch could be a benign packaging error but raises a provenance question.
Instruction Scope: okSKILL.md instructions are narrowly scoped to asking the user for topic/source/language and then calling the declared MagicPodcast API endpoints. It includes safe URL/job-id validation and JSON encoding with jq and warns users not to upload sensitive documents. The instructions do not reference other system files, secrets, or unexpected external endpoints.
Install Mechanism: okThere is no install spec and no code files — the skill is instruction-only and relies on existing curl and jq binaries. This is the lowest-risk install mechanism.
Credentials: okThe only environment variables required are MAGICPODCAST_API_URL and MAGICPODCAST_API_KEY, which are appropriate for calling the MagicPodcast API. No unrelated credentials or filesystem config paths are requested.
Persistence & Privilege: okThe skill is not always-enabled, does not request elevated presence, and is user-invocable. It does not attempt to modify other skills or system-wide settings.