Back to skill

Security audit

SenseAudio Podcast Generator

Security checks across malware telemetry and agentic risk

Overview

The skill is a real podcast generator, but it also starts local services, reads broad OpenClaw/Feishu credentials, and can upload generated audio externally without tight user control.

Install only after reviewing the delivery behavior. Use local-only generation where possible, avoid Feishu mode unless the account and destination folder are explicitly approved, and treat this package as needing fixes before broad use: remove hard-coded host paths and folder tokens, make cloud upload opt-in, and document all credentials and external destinations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (23)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
requests.get(f"{API_BASE}/api/config", timeout=2)
        except:
            # 启动服务
            subprocess.Popen(
                ["python3", str(PROJECT_DIR / "backend" / "app.py")],
                stdout=subprocess.DEVNULL,
                stderr=subprocess.DEVNULL,
Confidence
77% confidence
Finding
subprocess.Popen( ["python3", str(PROJECT_DIR / "backend" / "app.py")], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            requests.get(f"{API_BASE}/api/config", timeout=2)
        except:
            subprocess.Popen(
                ["python3", str(PROJECT_DIR / "backend" / "app.py")],
                stdout=subprocess.DEVNULL,
                stderr=subprocess.DEVNULL,
Confidence
77% confidence
Finding
subprocess.Popen( ["python3", str(PROJECT_DIR / "backend" / "app.py")], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            requests.get(f"{API_BASE}/api/config", timeout=2)
        except:
            subprocess.Popen(
                ["python3", str(PROJECT_DIR / "backend" / "app.py")],
                stdout=subprocess.DEVNULL,
                stderr=subprocess.DEVNULL,
Confidence
77% confidence
Finding
subprocess.Popen( ["python3", str(PROJECT_DIR / "backend" / "app.py")], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, )

Tainted flow: 'download_url' from requests.post (line 359, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
# 下载音频文件
        download_url = f"{API_BASE}{data['download_url']}"
        audio_response = requests.get(download_url, timeout=30)
        
        if audio_response.status_code != 200:
            return {
Confidence
90% confidence
Finding
audio_response = requests.get(download_url, timeout=30)

Tainted flow: 'audio_path' from requests.post (line 374, network input) → open (file write)

Medium
Category
Data Flow
Content
audio_path = output_dir / data["output_file"]
        
        audio_path.parent.mkdir(parents=True, exist_ok=True)
        with open(audio_path, "wb") as f:
            f.write(audio_response.content)
        
        result = {
Confidence
96% confidence
Finding
with open(audio_path, "wb") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares required binaries and environment variables but does not clearly declare the broader operational permissions implied by the documented behavior, including shell execution, network calls, and file access. This creates a transparency and trust problem: users and policy engines may authorize the skill without understanding that it can launch local services, read/write files, and transmit data to external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose focuses on podcast generation, but the documented behavior extends to channel detection, message/file sending, cloud upload, service lifecycle management, and likely access to local configuration or credentials. That mismatch is dangerous because it hides materially different trust boundaries and data flows, increasing the chance of unintended credential use, exfiltration, or remote side effects beyond what a user expects from a content-generation skill.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
A skill described as a podcast generator also reads local Feishu credentials and uploads generated audio to external cloud storage. This is dangerous because it expands the trust boundary from local media generation to credential use and external exfiltration of user content without being central to the stated function.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code inspects runtime context and channel metadata to determine where generated content may be sent, which goes beyond simple audio generation. In an agent setting, hidden context-aware messaging can cause unintended disclosure of generated files to chats or channels the user did not explicitly choose.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The generation workflow automatically handles IM delivery instead of only producing a file, materially changing the security posture of the skill. Because sending is enabled by default, generated content may be transmitted externally with little visibility, which is especially risky for private prompts or sensitive topics.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Reading OpenClaw runtime context and chat metadata is unrelated to core podcast generation and creates access to ambient conversation state. In an agent skill, that broader access increases the chance of privacy leakage and hidden side effects, making the behavior more dangerous than it would be in a standalone local media tool.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script accesses local Feishu app credentials from configuration and uses them to obtain tokens and upload files to an external service, which is outside the manifest's stated generation purpose. This creates a strong credential abuse and data exfiltration risk because a user invoking a podcast generator would not reasonably expect it to leverage unrelated account secrets for cloud operations.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Invoking an external messaging CLI to send files is a materially broader capability than podcast generation and enables outbound communication from within the skill. In an agent environment, this is dangerous because it can exfiltrate generated or local files into chats using ambient identity and context, even when the user's primary intent was only local content generation.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Automatically spawning a backend service increases the execution scope of the skill and may run code unexpectedly on the host. While this is not obviously malicious, it is riskier in an agent context because it starts a long-lived local service without explicit user awareness or confirmation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The tests read a host-level OpenClaw configuration file to obtain a real API credential, which expands access beyond the stated function of generating podcasts. In an agent or marketplace context, reaching into user-global config is dangerous because it can exfiltrate or misuse secrets present on the host without clear necessity or isolation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The absolute path `/home/wang/桌面/龙虾工作区/podcast-generator` hard-codes execution against a specific host filesystem location outside the test file's own directory. In a skill package, this is a strong indicator of unexpected host coupling and can lead to arbitrary local code execution if that path exists and contains attacker-influenced content.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Using the bare trigger phrase "播客" is overly broad and can activate the skill during ordinary conversation about podcasts rather than an intentional invocation. Because this skill can start a local web server, open a browser, or send content to external services, accidental triggering can cause unwanted execution and unintended disclosure of user-provided text.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Triggering on "生成播客" across both web and chat modes without stronger scoping makes invocation ambiguous and may cause the skill to choose an execution path the user did not intend. In context, that can lead to starting local services in terminal environments or sending content externally in IM environments without sufficiently explicit consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill does not clearly warn users that their topic/script content may be sent to external generation services and, in some channels, uploaded to third-party storage such as Feishu cloud drive. This is a meaningful privacy and data-handling risk, especially if users provide sensitive internal text expecting only local processing.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script uploads generated audio to Feishu as part of normal flow without a clear user-facing warning or runtime confirmation. Silent transmission of user-generated content is a significant privacy issue, especially given the skill's stated purpose does not center on cloud sharing.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code reads sensitive credentials from local configuration and uses them for external API calls without clearly disclosing this to the user. This undermines informed consent and creates unnecessary exposure of powerful local secrets in a skill whose advertised function is media generation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code reads an API key from host config and sends it in an HTTP header during a test without any user disclosure or isolation boundary. Even though the destination is localhost, local services can still log, proxy, or misuse credentials, and the silent transmission of host secrets is not justified for a default test path.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The test launches a backend process automatically and suppresses stdout/stderr, reducing visibility into what is being executed. Hidden process execution without disclosure is risky because users or CI operators may not realize the skill is starting services and running local code during tests.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.