Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Podcasts
v1.0.0Track and synthesize podcasts with subscriptions, briefings, progress tracking, and smart alerts for new episodes and guests.
⭐ 2· 616·0 current·0 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (track and synthesize podcasts) matches the instructions to subscribe, summarize, and manage a backlog. However, the SKILL.md explicitly lists external tools and data sources (yt-dlp, Whisper, Apple transcripts, Taddy/Podcast Index) that a real implementation would likely need; the skill metadata lists no required binaries, installs, or credentials, which is inconsistent with those stated needs.
Instruction Scope
Instructions direct the agent to download/obtain transcripts and audio (yt-dlp, Whisper, YouTube auto-captions) and to monitor 'any podcast' for VIP guests and trending content. That can require broad network access, repeated downloads, and scraping of multiple platforms. The instructions also mandate writing summarized data and transcripts to ~/podcasts/, which is a clear local storage behaviour the user should know about. There is no guidance about rate limiting, frequency, or consent for downloading content.
Install Mechanism
This is an instruction-only skill (no install spec), which is low risk in itself. But because the SKILL.md assumes tools like yt-dlp and Whisper are used, the lack of declared required binaries or an install method is an inconsistency: the agent may fail at runtime or implicitly rely on preinstalled third-party tooling from unknown sources.
Credentials
The skill declares no required environment variables or credentials, yet references services (Apple transcripts, Podcast Index, third-party services named 'Taddy') that commonly require API keys or credentials. The SKILL.md does not describe what credentials (if any) are needed, where they should be stored, or whether private keys/tokens will be used—this is disproportionate opacity for a skill that interacts with third-party APIs and downloads content.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It instructs storing files under ~/podcasts/ (subscriptions.md, queue.md, briefings/, knowledge.md, guests.md). Local persistence limited to a dedicated directory is normal, but the user should be aware transcripts and possibly full episode audio may be saved there. The skill does not declare modifying other skills or system settings.
What to consider before installing
This skill appears to do what it says (subscribe, summarize, prioritize), but it also relies on downloading audio/video and creating transcripts from multiple sources. Before installing or enabling it, check the following:
- Confirm whether the agent environment already has yt-dlp, Whisper (or other transcription tools), and whether you trust their installation sources; if not, ask the author how they expect those tools to be provided.
- Ask what third-party APIs are used (Podcast Index, Apple, Taddy, YouTube) and whether API keys are required; never supply credentials unless you understand why and how they will be stored and used.
- Be aware the skill will write data under ~/podcasts/ (transcripts, briefings, guest watchlists). Decide if you are comfortable storing potentially copyrighted audio and auto-generated transcripts locally and confirm how to delete that data.
- Clarify how often the skill will scan/ download content and whether it will monitor 'all podcasts' automatically—this impacts bandwidth, rate limits, and privacy.
- If you proceed, prefer installing required tools (yt-dlp, Whisper) from official project sources, and limit credentials to least privilege. If the author cannot explain the missing dependency/credential declarations, treat the skill cautiously or avoid installing it.Like a lobster shell, security has layers — review code before you run it.
latestvk9722mbsga7860qtvqkb2ysbcn810gbt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.