Custom Podcast Discovery & Generation
v1.0.1Discover, research, script, fact-check, and generate podcast episodes automatically. Multi-source topic discovery, LLM script generation, citation enforcemen...
⭐ 7· 265·0 current·0 all-time
byHarshil Mathur@harshilmathur
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description align with included scripts (discover, research framework, script generation prompt creation, verification scaffolding, TTS prep, upload). The skill legitimately needs sources, research, LLM and a TTS tool (ElevenLabs) and optional S3 for storage — which the docs and scripts reference.
Instruction Scope
SKILL.md and scripts instruct the agent to run the local Python pipeline and to spawn OpenClaw workers that call web_search(), an LLM, and elevenlabs_text_to_speech. The scripts themselves are mostly frameworks/placeholders that expect worker tools to perform network/LLM/TTS calls; they do not perform direct secret harvesting. However the pipeline and cron examples instruct sourcing ~/.openclaw/env-init.sh and invoking aws CLI (for S3) — which means runtime will rely on environment/config outside the skill. The YAML parsing is custom/regex-based (brittle) and the docs rely on the worker having broad web-search/LLM/TTS access.
Install Mechanism
No install spec / no remote downloads are present in the manifest. The repository includes Python scripts and README/DEPLOYMENT docs. There is no automatic remote code fetch or archive extraction in the install metadata.
Credentials
skill.json/manifest list no required environment variables, but runtime clearly requires: (a) ElevenLabs API credentials or OpenClaw ElevenLabs tool integration to generate audio, and (b) AWS credentials or aws CLI config for S3 uploads if that storage option is used. Those credentials are referenced in docs but not declared as required in the manifest — this is an operational omission you should be aware of.
Persistence & Privilege
always is false. The skill doesn't request persistent/always-on privileges and does not modify other skills. It runs as user-invoked or via normal autonomous worker invocation; no elevated system privileges requested in code or docs.
Assessment
This skill appears to implement what it says, but review a few points before installing: 1) Credentials: the pipeline expects ElevenLabs TTS integration (or API key via OpenClaw worker) and optional AWS CLI credentials for S3 uploads — ensure you provide only the credentials you intend and that they are stored/configured safely (aws configure or OpenClaw credentials). 2) Worker privileges: research/script/audio stages are intended to be completed by OpenClaw workers that have web_search(), LLM, and elevenlabs_text_to_speech access — confirm what those workers can access in your environment. 3) Inspect upload.py and any delivery code: ensure no unexpected external endpoints or hardcoded credentials are present (the manifest claims none, but verify the upload implementation and any omitted files). 4) The YAML parsing and RSS parsing use simple regex logic (no pyyaml/feedparser/requests) — this is brittle and may mis-parse malicious or malformed feeds; run in a restricted environment or container and validate feed URLs you add. 5) The pipeline uses subprocess.run with argument lists (no shell=True) which is good, but the pipeline executes many scripts based on user-provided config paths and filenames; avoid running it with configs from untrusted sources. 6) Test in a sandbox (or read-only environment) first, and lock down S3 bucket policies before enabling uploads. If you want higher assurance, request the missing files (upload.py, verify.py contents were omitted in the provided listing) and I can re-check those specifically.Like a lobster shell, security has layers — review code before you run it.
latestvk978v1p4yrxjkq6vv43792svr982c88d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.