Skillv1.0.0

ClawScan security

Dual-Host Daily Podcast Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 10:19 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (automated dual-host podcasting) matches the included code, but there are multiple inconsistencies and sloppy/broken implementation details — missing declared environment requirements, hard-coded API placeholders, and script/format mismatches — so it requires review before trusting or installing.
Guidance: This skill appears to implement what it claims, but it has multiple inconsistencies and sloppy defaults you should fix before using in production: 1) Metadata incorrectly claims no required env vars — treat S3 credentials and the Fish Audio API key as required secrets. 2) fish_dual_tts.py contains hard-coded placeholder API_KEY and VOICE IDs instead of reading FISH_API_KEY / FISH_VOICE_A / FISH_VOICE_B from the environment; update the script to read credentials from env vars and never commit real keys into code. 3) The script parser and the documentation use different speaker formats ([HostA] vs HostA:); reconcile them so TTS segments are parsed correctly. 4) generate_episode.sh uses the aws CLI and whatever AWS credentials are present on the machine; run this only with an IAM user/role that has minimal S3 permissions (putObject/listObject) scoped to the podcast bucket. 5) Test in an isolated account or environment before giving it access to your real S3 or messaging channels. 6) Review web scraping targets for legal/robots constraints. If you want to proceed, require the author to: update registry metadata to declare required env vars and binaries, change code to read env vars securely, and add input validation/error handling. Absent these fixes, treat the skill as untrusted and run only in a sandbox with least-privilege credentials.

Review Dimensions

Purpose & Capability: concernThe functionality (fetch news, generate script, TTS, upload to S3, update RSS) is coherent with the name/description. However the registry metadata claims no required environment variables or binaries while the SKILL.md and included scripts clearly require S3 access, an external TTS API key (Fish Audio), ffprobe/ffmpeg, and the aws CLI. That mismatch (metadata says 'none' but the runtime needs credentials/tools) is a substantive incoherence.
Instruction Scope: noteSKILL.md instructions stay within podcast generation/publishing scope (scrape news, create dialogue, synthesize audio, upload, update RSS). However there are practical/behavioral issues: it tells the agent to 'web_fetch' scrape several sites (reasonable for news but watch robots/terms-of-service), and references delivering via messaging without specifying endpoints. More importantly, the code expects/uses formats different from examples (script parser expects '[HostA] text' but docs show 'HostA: ...'), and generate_episode.sh edits feed.xml in /tmp then uploads — typical but relies on aws CLI and whatever credentials are present. Overall behavior is within the claimed purpose but not robust or fully specified.
Install Mechanism: okThere is no install spec and the skill is instruction-only with included scripts — nothing is downloaded or executed at install time. This lowers supply-chain risk. Required runtime dependencies are listed in SKILL.md but not enforced by an install step.
Credentials: concernThe skill actually needs sensitive credentials and local config (S3 bucket access via aws CLI credentials, Fish Audio API key) but the registry metadata lists 'Required env vars: none'. The included fish_dual_tts.py hard-codes API_KEY/VOICE IDs as placeholders instead of reading environment variables (SKILL.md expects FISH_API_KEY, FISH_VOICE_A/B). generate_episode.sh uses S3_BUCKET/PODCAST_DOMAIN environment variables but falls back to defaults, and will use whatever AWS credentials are configured on the host. These discrepancies mean you could accidentally expose or use the wrong credentials; required secrets are not declared and the code does not safely read them.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide agent settings. It runs as an on-demand tool and performs publishing actions (S3 uploads) when invoked — standard for this purpose. Autonomous invocation is allowed (platform default) but is not combined with other high-risk privileges here.