Podcast Production Pipeline

The skill mostly matches its stated podcast-production purpose, but contains incoherent/unsafe elements (embedded API keys, a hard-coded gateway token, mismatched config paths, and unexpected local gateway calls) that make it risky to install without changes.

Do not install this skill as-is. Actionable recommendations: - Treat the checked-in API keys and embedded token as leaked: do not reuse them and rotate any real keys they might correspond to. Remove/replace them before use. - Fix the config-path mismatch: scripts expect config/podcast-pipeline.json while repo provides config/settings.json; standardize to a single config file and do not commit secrets into it. - Remove hard-coded OPENCLAW_GATEWAY_TOKEN from code; require the user to supply any gateway token via environment variables and document it in SKILL.md. - Review and fix script bugs (undefined variables in post-production) before running — they will likely crash or produce incorrect output. - Audit and understand network calls: the pre-production script contacts api.tavily.com (expected) and also POSTs to 127.0.0.1:18789 (local gateway). Ensure your local gateway is intended to receive such messages and that the token is valid and minimal-scope. - Run the skill in a sandboxed environment first (no sensitive files or real credentials), and inspect outgoing network traffic. Only proceed after removing embedded secrets and confirming intended behavior. If you want, I can list the exact files/lines with embedded secrets and show minimal code changes to make the skill safer (e.g., use env vars, validate config path).