ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Transistor FM

v1.0.0

Manage podcasts on Transistor.fm via their API. Use when creating, publishing, updating, or deleting podcast episodes, uploading audio files, listing shows/e...

0· 328·0 current·0 all-time
byChristoph Rumpel@christophrumpel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description describe Transistor.fm podcast management and the SKILL.md contains curl examples for listing shows, uploading audio, creating and publishing episodes, and checking analytics — all consistent with the stated purpose. However, the skill's source is unknown and no homepage or provenance is provided, which reduces trustworthiness.
Instruction Scope
Instructions are generally scoped to calling the Transistor.fm API and uploading audio; they don't ask to read unrelated system files. Issues: the doc references a local file 'references/api.md' that is not present in the bundle, and examples use undefined variables ($BASE, $KEY, $UPLOAD_URL, $AUDIO_URL) which are ambiguous. The guidance to 'retrieve from a secrets manager' is vague and could lead an agent to attempt accessing a secrets service if not constrained.
Install Mechanism
No install spec and no code files (instruction-only) — low installation risk because nothing is written to disk by an installer. The regex scanner had no code to analyze.
!
Credentials
The SKILL.md explicitly requires a Transistor.fm API key (suggesting env var TRANSISTOR_API_KEY or retrieving from a secrets manager), but the registry metadata lists no required environment variables or primary credential. This mismatch is problematic: the skill needs a secret to function but does not declare it, and its vague suggestion to use a secrets manager could cause an agent to attempt broad secret-access actions unless you restrict that capability.
Persistence & Privilege
Skill is not always-included and doesn't request elevated or persistent privileges. Model invocation is allowed (normal). There is no instruction to modify other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (manage Transistor.fm via their API) but there are important inconsistencies and missing provenance you should address before installing. Specifically: (1) the SKILL.md requires an API key (it suggests TRANSISTOR_API_KEY) but the registry metadata doesn't declare it — treat that as a red flag and assume the agent will need that secret. (2) The doc refers to a missing references/api.md and uses undefined variables ($BASE, $KEY), so test in a safe environment first. (3) Avoid granting the agent broad access to a secrets manager; instead provide only the Transistor API key and only to the skill's scope if possible. (4) Because the skill's source/homepage are unknown, prefer to use an official or well-documented plugin from a trusted publisher, or manually implement the minimal curl commands yourself. If you proceed, limit the agent's secret access to a single TRANSISTOR_API_KEY and monitor requests to ensure it only calls api.transistor.fm and uploads files you expect.

Like a lobster shell, security has layers — review code before you run it.

latestvk97edksnxa3cbbyg0x0gw4np6581wgr6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Transistor.fm Podcast Management

Manage podcasts hosted on Transistor.fm through their REST API.

Prerequisites

  • Transistor.fm API key (from Dashboard → Account)
  • Store as environment variable TRANSISTOR_API_KEY or retrieve from a secrets manager

Quick Reference

All requests use base URL https://api.transistor.fm/v1 with header x-api-key: <key>. Rate limit: 10 requests per 10 seconds.

For full endpoint details, parameters, and response formats, see references/api.md.

Core Workflows

List shows and episodes

# Get all shows
curl -s "$BASE/shows" -H "x-api-key: $KEY"

# Get episodes for a show
curl -s "$BASE/episodes?show_id=SHOW_ID" -H "x-api-key: $KEY"

Upload audio and create an episode

Three-step process:

# 1. Get authorized upload URL
UPLOAD=$(curl -s "$BASE/episodes/authorize_upload?filename=episode.mp3" -H "x-api-key: $KEY")
# Extract upload_url and audio_url from response

# 2. Upload the audio file
curl -X PUT -H "Content-Type: audio/mpeg" -T /path/to/episode.mp3 "$UPLOAD_URL"

# 3. Create episode with the audio_url
curl -s "$BASE/episodes" -X POST -H "x-api-key: $KEY" \
  -d "episode[show_id]=SHOW_ID" \
  -d "episode[title]=My Episode" \
  -d "episode[summary]=Short description" \
  -d "episode[audio_url]=$AUDIO_URL"

Episode is created as draft. Publish separately.

Publish an episode

# Publish now
curl -s "$BASE/episodes/EPISODE_ID/publish" -X PATCH -H "x-api-key: $KEY" \
  -d "episode[status]=published"

# Schedule for future
curl -s "$BASE/episodes/EPISODE_ID/publish" -X PATCH -H "x-api-key: $KEY" \
  -d "episode[status]=scheduled" \
  -d "episode[published_at]=2026-03-01 09:00:00"

Check analytics

# Show-level (last 14 days default)
curl -s "$BASE/analytics/SHOW_ID" -H "x-api-key: $KEY"

# Episode-level
curl -s "$BASE/analytics/episodes/EPISODE_ID" -H "x-api-key: $KEY"

# Custom date range (dd-mm-yyyy)
curl -s "$BASE/analytics/SHOW_ID?start_date=01-01-2026&end_date=31-01-2026" -H "x-api-key: $KEY"

Tips

  • Episodes are always created as drafts — publish is a separate step, allowing review before going live
  • Use episode[increment_number]=true to auto-assign the next episode number
  • episode[description] supports HTML; episode[summary] is plain text
  • Audio upload URLs expire in 600 seconds — upload promptly after authorizing
  • Use sparse fieldsets to reduce response size: fields[episode][]=title&fields[episode][]=status

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…