ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dual-Host Daily Podcast Generator

v1.0.0

Generate and publish a dual-host daily podcast. Fetches news, generates a conversational script between two hosts, synthesizes audio via Fish Audio or Edge T...

0· 387·1 current·1 all-time
byDachao@dz1922
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The functionality (fetch news, generate script, TTS, upload to S3, update RSS) is coherent with the name/description. However the registry metadata claims no required environment variables or binaries while the SKILL.md and included scripts clearly require S3 access, an external TTS API key (Fish Audio), ffprobe/ffmpeg, and the aws CLI. That mismatch (metadata says 'none' but the runtime needs credentials/tools) is a substantive incoherence.
Instruction Scope
SKILL.md instructions stay within podcast generation/publishing scope (scrape news, create dialogue, synthesize audio, upload, update RSS). However there are practical/behavioral issues: it tells the agent to 'web_fetch' scrape several sites (reasonable for news but watch robots/terms-of-service), and references delivering via messaging without specifying endpoints. More importantly, the code expects/uses formats different from examples (script parser expects '[HostA] text' but docs show 'HostA: ...'), and generate_episode.sh edits feed.xml in /tmp then uploads — typical but relies on aws CLI and whatever credentials are present. Overall behavior is within the claimed purpose but not robust or fully specified.
Install Mechanism
There is no install spec and the skill is instruction-only with included scripts — nothing is downloaded or executed at install time. This lowers supply-chain risk. Required runtime dependencies are listed in SKILL.md but not enforced by an install step.
!
Credentials
The skill actually needs sensitive credentials and local config (S3 bucket access via aws CLI credentials, Fish Audio API key) but the registry metadata lists 'Required env vars: none'. The included fish_dual_tts.py hard-codes API_KEY/VOICE IDs as placeholders instead of reading environment variables (SKILL.md expects FISH_API_KEY, FISH_VOICE_A/B). generate_episode.sh uses S3_BUCKET/PODCAST_DOMAIN environment variables but falls back to defaults, and will use whatever AWS credentials are configured on the host. These discrepancies mean you could accidentally expose or use the wrong credentials; required secrets are not declared and the code does not safely read them.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide agent settings. It runs as an on-demand tool and performs publishing actions (S3 uploads) when invoked — standard for this purpose. Autonomous invocation is allowed (platform default) but is not combined with other high-risk privileges here.
What to consider before installing
This skill appears to implement what it claims, but it has multiple inconsistencies and sloppy defaults you should fix before using in production: 1) Metadata incorrectly claims no required env vars — treat S3 credentials and the Fish Audio API key as required secrets. 2) fish_dual_tts.py contains hard-coded placeholder API_KEY and VOICE IDs instead of reading FISH_API_KEY / FISH_VOICE_A / FISH_VOICE_B from the environment; update the script to read credentials from env vars and never commit real keys into code. 3) The script parser and the documentation use different speaker formats ([HostA] vs HostA:); reconcile them so TTS segments are parsed correctly. 4) generate_episode.sh uses the aws CLI and whatever AWS credentials are present on the machine; run this only with an IAM user/role that has minimal S3 permissions (putObject/listObject) scoped to the podcast bucket. 5) Test in an isolated account or environment before giving it access to your real S3 or messaging channels. 6) Review web scraping targets for legal/robots constraints. If you want to proceed, require the author to: update registry metadata to declare required env vars and binaries, change code to read env vars securely, and add input validation/error handling. Absent these fixes, treat the skill as untrusted and run only in a sandbox with least-privilege credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bnnzrkfw1ecvnnj0y3ykn25827h1v
387downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
Dachao@dz1922
latest
Download

Dual-Host Daily Podcast Generator

Automated daily podcast with two AI hosts. Generates text brief + dual-voice audio, publishes to RSS, delivers via messaging.

Concept

  • Format: Two hosts — one explains/analyzes, the other asks and transitions
  • Duration: Configurable, default ~7 minutes
  • Style: Casual, opinionated, conversational — like two friends chatting about the news
  • Topics: Customizable (default: AI/Tech, Stocks, Macro, Crypto)

Architecture

Fetch News → Text Brief → Dual-Voice Script → TTS Audio → S3 Upload → RSS Update → Deliver

Configuration

Set these in your environment:

VariableDescription
S3_BUCKETS3 bucket name
PODCAST_DOMAINCustom domain or S3 URL
FISH_API_KEYFish Audio API key (https://fish.audio)
FISH_VOICE_AFish Audio voice ID for Host A
FISH_VOICE_BFish Audio voice ID for Host B

Step 1: Fetch News

Use web_fetch to scrape sources in parallel. Default sources:

  1. https://news.ycombinator.com/ — Tech
  2. https://www.coindesk.com/ — Crypto
  3. https://techcrunch.com/category/artificial-intelligence/ — AI
  4. https://finance.yahoo.com/ — Markets

Customize sources to match your podcast topic.

Step 2: Generate Text Brief

Organize news into sections with emoji headers:

☀️ Daily Brief | Mar 3, 2026

━━━━━━━━━━━━━━━━━━

🤖 Tech / AI

① Headline
→ One-line take

━━━━━━━━━━━━━━━━━━

📈 Markets

① Headline
→ One-line take

━━━━━━━━━━━━━━━━━━

🎯 Key Takeaway
Summary paragraph

Step 3: Generate Dual-Voice Script

Rewrite the brief as a dialogue. Prefix each line with speaker tag:

HostA: Welcome to today's episode...
HostB: Some big stories today...
HostA: Right, let's start with...

Guidelines:

  • Host A: Explains and analyzes, knowledgeable but casual
  • Host B: Asks, transitions, reacts
  • Substantial turns, not one-liners
  • Include analysis and discussion, not just headlines
  • End with a lighter topic + sign-off

Step 4: Generate Audio

Fish Audio (recommended — natural, multi-voice):

python3 scripts/fish_dual_tts.py <script.txt> <output.mp3>

Parses speaker tags, sends each segment to Fish Audio, concatenates into final MP3.

Edge TTS (free fallback, single voice):

edge-tts --voice en-US-GuyNeural --rate "+5%" --file script.txt --write-media output.mp3

Step 5: Publish

bash scripts/generate_episode.sh <date> <EP-number> <title> <description> <mp3-file>

What it does:

  1. Upload MP3 to S3
  2. Get actual duration via ffprobe
  3. Insert <item> into RSS feed (newest first)
  4. Update <lastBuildDate>

Step 6: Deliver

Send text brief + audio via your preferred channel (Telegram, Discord, Slack, etc.)

RSS Feed

See references/rss-format.md for XML template.

Key rules:

  • <itunes:duration> = actual duration from ffprobe (never hardcode)
  • <enclosure length> = actual file size in bytes
  • <itunes:owner> with email for Apple/Spotify verification
  • Cover: 3000x3000 JPEG minimum

Hosting Options

OptionNotes
S3 + Cloudflare WorkerFree HTTPS, recommended
S3 + CloudFrontNative AWS
Any static hostJust serve MP3 + feed.xml

Cron (OpenClaw)

openclaw cron add --task "Generate daily podcast" --cron "0 8 * * *" --tz "Your/Timezone"

Dependencies

  • python3 + requests — Fish Audio TTS
  • ffmpeg / ffprobe — Audio processing
  • aws CLI — S3 upload
  • edge-tts (optional) — Free fallback TTS

Comments

Loading comments...