Ai Podcast Pipeline
ReviewAudited by ClawScan on May 10, 2026.
Overview
The podcast pipeline mostly matches its purpose, but it under-discloses an external helper from another skill that is executed with the Gemini API key.
Review this skill before installing. The core podcast workflow appears coherent, but verify the nano-banana-pro helper and local dependencies before using thumbnail generation, use a dedicated Gemini API key, and avoid sending confidential source material unless third-party Gemini processing is acceptable.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running thumbnail generation may execute unreviewed code from another local skill, and that helper receives the environment used for the run, including the Gemini key.
The skill executes a helper script from a different skill that is not included in this artifact set or declared in the metadata/install requirements.
NANO_SCRIPT = WORKSPACE_DIR / 'skills/nano-banana-pro/scripts/generate_image.py' ... cmd = ['uv', 'run', str(NANO_SCRIPT), ...] ... subprocess.run(cmd, check=True, env=env, timeout=600)
Install and review the nano-banana-pro dependency before using image generation, or run with --no-image. The publisher should declare this dependency and include or pin the helper source.
A user may trust the skill as fully auditable and limited to ffmpeg subprocesses when one default asset path can run code from outside the package.
This safety disclosure is materially incomplete because the provided code also invokes an external nano-banana-pro script via uv, so not all executed code is contained in the reviewed repository.
- **subprocess calls**: Used ONLY to invoke ffmpeg for audio/video processing ... All code is open source and auditable in this repository. No malicious behavior.
Update the security notice to accurately list uv, the nano-banana-pro helper, required binaries/dependencies, and the fact that some executed code is external to this skill.
Your Gemini API key may be used for billable or quota-consuming requests.
The skill uses a user-provided Gemini-compatible API key from the environment to call the provider, which is expected for TTS generation but gives the script access to that account's API quota.
key = os.environ.get("GEMINI_API_KEY") or os.environ.get("NANO_BANANA_KEY") ... "x-goog-api-key": keyUse a dedicated, least-privilege API key if possible, monitor quota/billing, and do not paste raw keys into prompts or shared files.
Podcast scripts or other text supplied for TTS will leave the local machine and be processed by Google Gemini.
Dialogue text is sent to Google's Gemini API to generate audio, which is purpose-aligned and disclosed but still crosses a third-party provider boundary.
url = f"https://generativelanguage.googleapis.com/v1beta/models/{model}:generateContent" ... body = json.dumps(payload).encode("utf-8")Avoid sending confidential source material unless that is acceptable under your organization's data policy.
The skill will run local binaries and write or overwrite output media files at paths supplied to the scripts.
The skill runs local media-processing commands such as ffmpeg/ffprobe, which is expected for audio/video rendering but should be understood before installation.
subprocess.run(cmd, check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, timeout=1800)
Use trusted input/output paths, verify ffmpeg/ffprobe are installed from trusted sources, and review outputs before publishing.