Podfetcher Tools
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent Podfetcher API client, but it uses a Podfetcher API key and can trigger transcript-fetch jobs, so users should control credentials and account usage.
Install only if you trust Podfetcher and the package source. Use a revocable API key, keep the API base URL set to the trusted Podfetcher endpoint unless intentionally testing elsewhere, store MCP environment variables securely, and have the agent ask before fetching transcripts if usage charges or quotas matter.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process with this key can make Podfetcher API calls under the user's account, and a changed base URL could send the key to a different endpoint.
The client reads a Podfetcher API key from options or the environment and sends it as a request header to the configured API endpoint.
const apiKey = options.apiKey ?? process.env.PODFETCHER_API_KEY; ... const headers = { Accept: "application/json", [apiKeyHeader]: apiKey };Use a revocable or scoped Podfetcher key if available, store it in the environment or a secret manager, avoid passing it in chat or command history, and keep the default base URL unless the alternate endpoint is trusted.
If an agent uses the transcript-fetch tool freely, it may create API work, consume quota, or incur account usage costs.
The transcript-fetch workflow can wait for provider-side processing and reports charged tokens, indicating it may consume account resources.
response = await client.fetchTranscriptAndWait({ episodeId, idempotencyKey, ... }); ... console.log(`Tokens charged: ${response.billing?.tokensCharged ?? "n/a"}`);Configure the agent to ask before fetching transcripts when costs or quotas matter, and monitor Podfetcher account usage.