ClawHub

Custom Podcast Discovery & Generation

Security checks across malware telemetry and agentic risk

Overview

This podcast skill appears purpose-built rather than malicious, but it needs review because its automatic workflow and documentation can overstate verification and may proceed toward audio or storage without the safeguards users would expect.

Review carefully before installing. Prefer manual mode first, inspect generated scripts and verification reports before audio/upload, avoid sensitive unpublished content unless you trust the configured providers, and use dedicated least-privilege AWS/S3 and ElevenLabs credentials. Do not enable cron or public S3 access unless you intend recurring production and remote/public persistence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation instructs execution of Python scripts, shell commands, network access to RSS/Hacker News/ElevenLabs, and writing outputs locally or to S3, yet no explicit permissions are declared. This is dangerous because users and orchestrators may invoke the skill without clear consent boundaries for filesystem writes, external network egress, or shell execution, increasing the chance of unexpected data exposure or unsafe automation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill advertises automatic research, fact-checking, citation enforcement, LLM script generation, and ElevenLabs audio synthesis, but the implementation reportedly only scaffolds templates, placeholder scripts, heuristic verification, and pending markers. This mismatch is dangerous because operators may trust outputs as researched and verified when they are not, leading to misinformation, unsafe downstream publication, and accidental transmission of sensitive content to external services under false assumptions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata and script behavior materially diverge: instead of automatically generating a podcast script, this code writes a prompt file and a placeholder output marked '[VERIFIED]'. That can mislead downstream automation or users into treating incomplete, unreviewed output as finished content, creating integrity and trust issues in a pipeline that claims autonomous generation.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The top-level documentation states that the script generates a podcast script, but the code only assembles a prompt and emits placeholder content. In an agent skill context, inaccurate documentation is security-relevant because orchestration systems may rely on declared behavior, causing unsafe assumptions, skipped validation, or publication of placeholder artifacts as if they were final generated episodes.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The guide tells users to configure AWS credentials and ElevenLabs access, but does not clearly warn that the skill will send generated audio, prompts, or related content to third-party services. In an agent ecosystem, missing disclosure can cause users to provide sensitive credentials or content without understanding the external data flows and trust boundaries.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The worker instruction says to spawn a worker when the user asks to "generate a podcast," which is broad enough to match ordinary user language without a stronger confirmation or namespacing mechanism. In agent frameworks, overly generic trigger criteria can cause unintended execution of multi-step workflows, external API use, and costs from innocuous conversation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README promotes delivery-ready outputs and automated workflows but does not clearly warn that generated content may be transmitted to third parties or exposed through downstream delivery channels. In a podcast-generation skill, scripts and audio may contain sensitive or unpublished material, so omission of privacy/data-sharing warnings can lead users to unintentionally disclose data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README documents S3 storage and upload behavior without explicitly warning that generated files are stored remotely and may be accessible depending on bucket policy and IAM configuration. Because this skill handles generated scripts and audio artifacts, users may incorrectly assume local-only processing and expose content through misconfigured cloud storage.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README describes ElevenLabs TTS usage but does not explicitly disclose that script text is sent to an external provider for synthesis. Since podcast scripts may include proprietary drafts, personal data, or unreleased content, failure to warn about third-party transmission creates a real confidentiality and compliance risk.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases are broad and overlap with common conversational requests such as generating or researching a podcast episode. In an agent environment, this can cause unintended invocation of a skill that performs shell commands, network retrieval, external API use, and file/output generation, potentially sending user content off-box or creating artifacts without sufficiently explicit intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The description emphasizes automation and vendor flexibility but does not clearly warn that content may be sent to external services like RSS sources, Hacker News, LLM providers, ElevenLabs, and optionally S3. This lack of disclosure is risky because users may provide sensitive topics or text without realizing the skill can transmit data externally and store resulting outputs remotely.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The pipeline automatically uploads the generated audio in both auto mode and manual mode without a final explicit confirmation. Because podcast content may contain sensitive, copyrighted, or unreviewed material, this can cause unintended external disclosure or publication if the pipeline is run on untrusted inputs or before verification issues are resolved.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrases are broad, generic requests such as 'generate a podcast' and 'make a podcast episode', which can overlap with normal user intents in unrelated contexts. This increases the chance the skill is invoked unexpectedly, causing unreviewed web research, content generation, or external tool use when the user did not explicitly intend to activate this skill.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal