Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Podcast Generator
v1.0.0播客生成器 — 根据用户描述,通过搜索引擎抓取最新资讯,生成口语化播客脚本,根据脚本语义自动匹配最合适的讯飞TTS声音,合成时长3分钟内的MP3音频并发送。触发词:生成播客、播客、podcast、帮我做一段音频、做一期节目。
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The natural purpose (generate short podcast MP3s via XFYUN TTS from web-scraped content) is coherent with the runtime steps, but the registry metadata declares no required env vars while SKILL.md explicitly requires XFYUN_APP_ID / XFYUN_API_KEY / XFYUN_API_SECRET and the xfyun-tts skill. That metadata mismatch is an incoherence (the skill actually needs cloud TTS credentials even though none are declared).
Instruction Scope
Instructions stay largely within the stated purpose: search web pages (via web_fetch), build a spoken script, call the xfyun-tts script, produce an MP3 and send it. Two scope details to note: (1) the retrieval guidance uses arbitrary search engine URLs and free-form scraping (agents will fetch and parse external webpages), which can surface unexpected content; (2) the runtime uses find ~/.openclaw to locate the xfyun-tts script, which reads the user's home openclaw directory and could touch other skills' files — this is broader filesystem access than a purely network-only TTS integration.
Install Mechanism
This is instruction-only with no install spec or downloads, so it doesn't add new on-disk code during install — lowest install risk.
Credentials
SKILL.md requires three XFYUN_* environment variables (TTS credentials) and depends on an installed xfyun-tts skill, but the skill registry metadata lists no required env vars or primary credential. The required credentials are proportional to the stated TTS functionality, but their omission from declared requirements is an inconsistency that reduces transparency and may mislead users about what secrets they must provide.
Persistence & Privilege
always:false and no install-time modifications are requested. The skill runs commands at runtime (mktemp, write files, execute python tts script) and will be able to be invoked by the agent (default), which is expected for skills. It does probe ~/.openclaw to find other skill files but does not request permanent presence or modify other skills' configs.
What to consider before installing
Before installing or enabling: (1) confirm the skill author/source — there is no homepage and metadata omits required env vars; (2) only provide XFYUN_APP_ID / XFYUN_API_KEY / XFYUN_API_SECRET if you trust the skill and consider using a limited-scope or disposable XFYUN key; (3) verify that the xfyun-tts skill referenced is one you installed from a trusted source and that its TTS script (tts.py) is what will be executed; (4) be aware the skill will fetch external web pages (scraping arbitrary search results) — do not ask it to summarize or fetch private or sensitive topics; (5) note it uses find ~/.openclaw to locate tts.py which reads your OpenClaw skill directory — if you have sensitive files there, consider moving them or running the skill in a sandbox; (6) if you require stronger assurance, request the publisher to update registry metadata to declare the XFYUN env vars explicitly and provide a verifiable source/homepage or supply an install spec so you can audit the referenced xfyun-tts implementation.Like a lobster shell, security has layers — review code before you run it.
latestvk97e0k276w4hcyp5mgq2dsyv5183gpnq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.