Podcast to Substack
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: podcast-to-substack Version: 1.0.0 The skill bundle is suspicious primarily due to potential shell injection vulnerabilities in `SKILL.md`. The markdown instructs the AI agent to execute `python3` scripts with user-provided inputs (`$RSS_URL`, `EPISODE_NUMBER`) directly within bash commands. If the AI agent does not properly sanitize these inputs before execution, an attacker could inject arbitrary shell commands. While the Python scripts themselves do not show explicit malicious intent, this execution pattern represents a significant vulnerability. Additionally, `scripts/fetch_notion_episode.py` downloads images from external URLs and saves them to a local directory, which, while defaulting to a safe path, could pose a path traversal risk if the `--download-dir` argument were user-controlled.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could publish or queue content on your public accounts before you have reviewed the final text, links, images, and audience settings.
The skill directs the agent to take public publishing or queuing actions, but the workflow does not clearly require a final user approval step before publishing to Substack or posting/queuing on LinkedIn.
4. Publish with stable embed behavior using the playbook in `references/substack-embed-playbook.md`. ... 6. Post or queue the LinkedIn copy.
Make draft creation the default and require explicit user confirmation before publishing, enabling email distribution, or posting/queuing on LinkedIn.
Running the RSS step may download and execute third-party package code that the user did not explicitly review or approve.
The RSS helper silently installs an unpinned PyPI dependency at runtime even though the skill has no install spec or declared dependency list.
except ImportError:
import subprocess
subprocess.check_call([sys.executable, "-m", "pip", "install", "feedparser", "-q"])Declare dependencies in an install spec or requirements file, pin package versions, and avoid runtime pip installs unless the user explicitly approves them.
The agent can read the Notion content available to the token and can act with whatever Substack publishing access the user provides.
The requested credentials are expected for this workflow, but they grant access to private Notion episode content and publishing authority on Substack.
- Notion API key (`NOTION_API_KEY` or `~/.config/notion/api_key`) - Substack publish access
Use a least-privileged Notion integration limited to the episode database and provide Substack access only in a session where you can review drafts before publication.