Skillv1.0.4

ClawScan security

SenseAudio Podcast Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 1:26 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to implement the claimed podcast generation features, but it reads and uses sensitive local configuration (openclaw.json), expects messaging service credentials, and contains metadata mismatches — the requested access is broader than what the description/registry declare.
Guidance: Things to consider before installing: - Metadata mismatch: The registry entry listed no required env or config paths, but SKILL.md and the shipped scripts require FFmpeg and SENSEAUDIO_API_KEY and also read your ~/.openclaw/openclaw.json for gateway tokens and Feishu app credentials. Expect the code to access that file and use any credentials inside. - Sensitive data access: The skill will try to read appId/appSecret and gateway tokens from your OpenClaw config and use them to upload audio to Feishu and send messages via the local gateway or 'openclaw' CLI. If you keep other service credentials in openclaw.json, those could be read at runtime. Only install if you trust the author and are comfortable with the skill accessing that config file. - Tests and runtime require openclaw.json: The included tests assert that openclaw.json exists and contains SENSEAUDIO_API_KEY, so installing/running tests may fail or leak info if you don't have a safe test config. The code also contains hard-coded demo folder tokens and project paths—inspect and remove them if necessary. - Mitigations and next steps: - Inspect ~/.openclaw/openclaw.json yourself before running; remove or move unrelated secrets you don't want the skill to see. - Prefer providing needed tokens explicitly (SENSEAUDIO_API_KEY and an upload token) rather than leaving app secrets in a global config file; ask the skill author to accept explicit credentials via environment variables or secure prompts. - If you need to run it, run inside a sandboxed account or VM that does not contain other sensitive OpenClaw credentials. - Ask the author to update registry metadata to list required config paths and credentials (openclaw.json, Feishu app secrets, gateway token) so the permission model is transparent. If you are not comfortable with a skill reading local agent configuration and messaging credentials, do not install or run it until the author provides a version that requests only the minimal, explicit credentials it needs.
Findings: [reads_openclaw_config] unexpected: generate.py and tests explicitly load ~/.openclaw/openclaw.json to obtain SENSEAUDIO_API_KEY, gateway tokens, and Feishu appId/appSecret. Reading a user agent config file (and extracting app secrets) is broader than the declared single SENSEAUDIO_API_KEY requirement and should be declared and justified. [feishu_upload_using_app_secret] expected: Uploading generated audio to Feishu is consistent with the skill's IM delivery features; however the code obtains app_id/app_secret from openclaw.json instead of requiring the user to provide a distinct upload token. The use is expected for Feishu upload, but the manner (reading local config containing secrets) should be explicit to the user. [calls_local_gateway_and_cli] expected: The skill calls a local OpenClaw gateway (http://localhost:18789) and may invoke 'openclaw message send' via subprocess. This aligns with the described IM delivery behavior, but it implies the skill will use local messaging credentials and possibly send files through the agent automatically. [hardcoded_paths_and_tokens] unexpected: The code uses hard-coded project paths (/home/wang/桌面/龙虾工作区/...), a default Feishu folder token 'DtGffqCRTl0s3Rdv56DcAGghnyb', and default output dirs. Hard-coded local paths and tokens are brittle and may leak test/demo values; presence of these suggests the package was packaged from a developer's workstation and could unexpectedly reference user-local paths.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (generate podcast audio via SenseAudio + ffmpeg) is reasonable and matches many files (FLask service, TTS, FFmpeg usage). However the code also expects and reads the user's ~/.openclaw/openclaw.json, extracts gateway tokens and Feishu appId/appSecret, and interacts with a local OpenClaw gateway and an IM pipeline. Those capabilities (reading agent config and messaging credentials) are not reflected in the registry metadata (which listed no required env or config paths) and are broader than a pure TTS/podcast generator would need.
Instruction Scope: concernSKILL.md instructs launching a local web server and running scripts/generate.py, which is expected. But the runtime instructions and the shipped code instruct the agent to: read ~/.openclaw/openclaw.json, read /tmp/openclaw-runtime-context.json, call a local gateway (http://localhost:18789), invoke the 'openclaw' CLI to send messages, and upload files to Feishu using appId/appSecret read from the config. These actions reach into user configuration and messaging subsystems beyond simple TTS generation.
Install Mechanism: okNo install spec is provided (instruction-only install). No external downloads or archive extraction are present in the manifest. Risk from install mechanisms is low; the primary surface is the runtime behavior of the shipped scripts.
Credentials: concernSKILL.md metadata declares requiring FFmpeg and SENSEAUDIO_API_KEY (primaryEnv). The code, tests, and AGENT.md also require a local openclaw.json containing SENSEAUDIO_API_KEY and channel credentials, and the code will read gateway tokens and Feishu appId/appSecret from that file. Those additional credentials and config path access are not declared in the registry metadata, and they expose sensitive secrets (app secrets, gateway tokens) that are not strictly necessary for TTS generation if the agent had been designed to accept explicit tokens as ephemeral inputs.
Persistence & Privilege: noteThe skill does start background processes (Flask service), writes PID/log files under /tmp, and can invoke local CLI 'openclaw' to send messages. It does not set always:true and does not modify other skills' configs, but running background services and invoking local message APIs means the skill can act on IM channels when invoked. This is expected for a messaging-integrated generator but increases potential impact if combined with undisclosed credential access.