v1.0.0

Podcast Generator

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:08 AM.

Analysis

The skill’s behavior matches its podcast-generation purpose, but it relies on live web content, an external TTS skill, and XFYun API credentials that users should configure carefully.

GuidanceThis skill appears purpose-aligned for generating short podcast audio. Before installing, verify the separate xfyun-tts skill, use a dedicated XFYun API key, and review generated scripts or source summaries when the topic is sensitive or factual accuracy matters.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

TTS_SCRIPT=$(openclaw skills path xfyun-tts 2>/dev/null || find ~/.openclaw -name "tts.py" -path "*/xfyun-tts/*" 2>/dev/null | head -1)

The core audio synthesis step depends on a separately installed xfyun-tts skill and dynamically locates its tts.py script; that dependency is not included or pinned in the provided artifacts.

User impactThe safety of podcast generation depends partly on the installed xfyun-tts skill and whichever script path is resolved locally.

RecommendationInstall xfyun-tts only from a trusted source, verify its path/version before use, and avoid running this skill if the dependency is unknown or modified.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

XFYUN_APP_ID
XFYUN_API_KEY
XFYUN_API_SECRET

The skill requires XFYun API credentials for speech synthesis, while the registry metadata lists no required environment variables or primary credential.

User impactInstalling or using the skill may require giving it access to an XFYun TTS account, which could consume quota or incur account-level effects.

RecommendationUse a dedicated, revocable XFYun key with the minimum needed TTS permissions, and confirm how OpenClaw stores and injects those credentials.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityInfoConfidenceHighStatusNote

SKILL.md

直接用 `web_fetch` 调用搜索引擎 URL 抓取资讯... 抓取 1–2 个源，提取关键事实和数据点即可。

The podcast script is generated from live search results, so retrieved web content directly influences the final audio script.

User impactSearch results or source pages could be inaccurate, promotional, or adversarial, which may lead to misleading podcast content.

RecommendationFor important topics, ask the agent to cite and cross-check sources, and treat retrieved web text as information rather than instructions.