ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Podcast Transcript Mining Authority Positioning

v1.0.0

Extract guest appearances, speaking topics, and soundbites from podcast transcripts to build authority portfolios and generate podcast pitch templates. Use w...

0· 88·0 current·0 all-time
by@ncreighton
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Overall purpose (transcript ingestion, soundbite extraction, pitch generation) aligns with needing an OpenAI key and ffmpeg for audio transcription. However, the SKILL.md advertises integrations (WordPress, Notion, Google Docs, Zapier, Spotify/Apple metadata) that normally require additional credentials or APIs which are not declared in requires.env. That gap is a notable inconsistency: either the skill expects interactive, manual auth flows (not declared) or it cannot fully implement those features as-is.
!
Instruction Scope
Instructions describe accessing user transcripts, RSS feeds, Google Docs links, Notion databases, and pushing content to WordPress and Slack. The doc does not specify how private sources (Notion, Google Docs, WordPress REST API) will be authenticated, nor does it describe storage/retention of uploaded transcripts. The skill also requires a Slack webhook (capable of posting arbitrary content) which could be used to exfiltrate processed text if misused. The instructions are high-level and grant broad discretion (searching for podcasts, scraping listener metrics) without clear limits.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. It does require ffmpeg to be present on the host PATH, which is reasonable for audio processing. No third-party downloads or executed installers are included.
!
Credentials
Required env vars (OPENAI_API_KEY, GOOGLE_SEARCH_API_KEY, SLACK_WEBHOOK_URL) are plausible for core features: OpenAI for transcription/analysis, Google Search for discovery, Slack for notifications. Missing: no declared credentials for WordPress, Notion, Google Drive/Docs, Spotify, or other services the README says it integrates with. That mismatch is disproportionate — either the skill will prompt for additional secrets at runtime (not declared) or it cannot perform advertised integrations. Also note that giving a Slack webhook allows outbound posting of arbitrary content, so users should treat it as sensitive.
Persistence & Privilege
Skill is not force-included (always:false) and uses normal agent invocation. There are no declared config paths or persistent privileges, and the skill does not request to modify other skills or global agent settings.
What to consider before installing
What to check before installing or using this skill: - Confirm exactly how the skill will authenticate to WordPress, Notion, Google Docs, Spotify/Apple, or other services it mentions — the SKILL.md does not declare credentials for those. Ask the author whether you'll be prompted for per-action credentials or whether additional env vars are required. - Treat the Slack webhook as sensitive: a webhook can post any data to the given Slack channel. If you must provide one, use a channel and webhook with limited visibility and permissions. - Use a limited-scope OpenAI key (or an account that can be revoked) and a dedicated Google Search API key to avoid tying production credentials to this skill. - Test with non-sensitive transcripts first and verify where (if anywhere) the skill stores processed data. Ask whether the skill logs or caches transcripts and for how long. - If the skill claims to pull private Notion/Google Docs content, require the author to document the exact auth flow and scope; refuse to provide full-account credentials. - If you need the WordPress push feature, request clear documentation for required WP credentials and recommend creating a limited author account or using site-specific API keys. I have medium confidence because this is an instruction-only skill (no code to inspect); clarifying the missing integration/auth details from the maintainer would likely change the assessment.

Like a lobster shell, security has layers — review code before you run it.

latestvk971a5fjkmvc54ahd7pfwkzgg98344bp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎙️ Clawdis
OSmacOS · Linux · Windows
Binsffmpeg
EnvOPENAI_API_KEY, GOOGLE_SEARCH_API_KEY, SLACK_WEBHOOK_URL

Comments