Podwise
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Podwise appears purpose-aligned for podcast workflows, but it depends on an external CLI/account and can access listening data, user preference files, local media, and external note exports when used.
Install only if you trust the Podwise CLI and are comfortable connecting your Podwise account. Review any remote install script before running it, keep the stored API key private, and only approve processing or exporting files you actually want Podwise or connected note tools to receive. This review is limited to the provided artifacts; three manifest files were omitted from the supplied content.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI this way runs code downloaded from the internet on the user's machine.
The skill documents a user-directed remote install script for the required Podwise CLI. This is common for CLI setup but depends on trusting the remote GitHub source and the current contents of the main branch.
curl -sL https://raw.githubusercontent.com/hardhackerlabs/podwise-cli/main/install.sh | sh
Prefer Homebrew or a verified release binary when possible, and review the install script/source before running it.
The CLI will operate using the user's Podwise account and stored API key, including access to their followed podcasts and history.
The skill requires Podwise account authorization/API key configuration even though registry metadata lists no primary credential. This is expected for the Podwise integration but is still account-level access.
podwise auth ... podwise config set api_key your-sk-xxxx ... The configuration is stored at `~/.config/podwise/config.toml`.
Use a Podwise API key intended for this CLI, keep the config file private, and revoke the key if the device or workspace is untrusted.
If the user approves processing, local media or external URLs may be sent to Podwise and may consume paid or limited credits.
The CLI can upload or process local audio/video files and consume account quota. The artifact includes an explicit confirmation requirement, making this purpose-aligned rather than hidden.
podwise process ./interview.mp3 ... **`process` consumes quota/credits. Always confirm with the user before running it**, regardless of input type.
Only approve processing for files or URLs you intend to upload to Podwise, and confirm the correct file path before proceeding.
A local taste profile may reveal personal interests and can steer recommendations, triage, and output formatting across sessions.
The workflows use a persistent local listener profile to personalize future outputs. This is central to the recommendation purpose, but it means stored preferences can influence later decisions.
Look for `taste.md` in the current working directory. - If found, read it silently. Use the **Core Interest Areas**, **Shows to Prioritize**, and **Shows to Deprioritize** sections to guide triage scoring
Keep `taste.md` free of sensitive information, review it periodically, and edit or remove it if recommendations seem wrong or overly personal.
When requested, the skill may modify the user's Podwise subscriptions or export episode notes into connected tools.
The CLI can write episode content to external note services and change podcast subscriptions. These actions match the skill's purpose and are presented as user-invoked commands.
podwise export notion <episode-url>
podwise export readwise <episode-url>
podwise export obsidian <episode-url>
...
podwise follow https://podwise.ai/dashboard/podcasts/{id}
podwise unfollow https://podwise.ai/dashboard/podcasts/{id}Review the target podcast, episode URL, and export destination before approving follow/unfollow or export actions.