thought-leader-tracker
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it says: run a local collector that queries public podcast data and writes local Markdown reports, with only minor setup and automation notes.
This looks safe for its stated purpose. Before installing, note that it runs local Bash/Node.js code, sends configured search keywords to Apple’s public search API, writes local Markdown reports, and can be made persistent if you manually add the suggested cron job.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill executes local Bash and Node.js code to collect data and create reports.
The user-invoked shell command executes the included Node.js collector. This is expected for the skill's purpose, but users should know it runs local code.
node "$SCRIPT_DIR/scripts/collector.js" "$days"
Run it only from the reviewed skill directory and ensure Node.js is available.
The skill may fail unless Node.js is installed, despite the metadata saying no binaries are required.
The script requires Node.js, while the registry metadata lists no required binaries. This is a setup declaration gap, not evidence of hidden behavior.
if command -v node &> /dev/null; then ... else ... "Error: Node.js is required but not installed"
Install or verify Node.js before use, and the publisher should declare Node.js as a required binary.
Configured thought-leader names and keywords are sent to an external public API.
The collector sends configured search terms to Apple's public iTunes Search API. This is disclosed and central to collecting podcast data.
const url = `https://itunes.apple.com/search?term=${encodeURIComponent(query)}&entity=podcast&limit=10`;Avoid putting private or sensitive names/keywords in config.json if you do not want them sent to Apple’s search service.
If the user adds the cron entry, the collector will keep running daily until that cron job is removed.
The skill documents an optional cron entry for recurring daily execution. It is user-directed and matches the daily-tracker purpose.
Add to crontab for daily collection: ... 0 8 * * * ~/.openclaw/skills/thought-leader-tracker/thought-leader-tracker.sh collect 7
Use the cron option only if you want ongoing collection, and remove the crontab entry when no longer needed.