ClawHub

PodcastIndex

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Podcast Index lookup skill that uses expected API credentials for read-only podcast searches, with ordinary privacy cautions for external queries.

Install this only if you want your agent to query Podcast Index with your API key and secret. Avoid sensitive podcast search terms if you do not want them sent to Podcast Index, and do not let the agent display auth headers, API keys, secrets, or generated hashes in logs or responses.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill is described broadly enough that it may activate for generic podcast-related user requests without clear limits on when external API use occurs. This can cause unnecessary third-party transmission of user queries and surprise users who did not expect their input to be sent to Podcast Index.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to send user queries to an external API using authenticated requests, but it does not warn the user that their search terms and related inputs will leave the local environment. This creates a privacy and consent issue, especially for sensitive podcast interests, names, or search terms.

External Transmission

Medium
Category
Data Exfiltration
Content
Prerequisites
	•	Ensure PODCASTINDEX_API_KEY and PODCASTINDEX_API_SECRET are set in the environment or config.
	•	All requests must be authenticated with specific headers.
	•	Base URL: https://api.podcastindex.org/api/1.0
Authentication
To authenticate a request:
	1	Get the current Unix timestamp: unixTime = Math.floor(Date.now() / 1000)
Confidence
84% confidence
Finding
https://api.podcastindex.org/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal