Podcast Automation
AdvisoryAudited by Static analysis on May 12, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong Feishu app or space is used, the agent could create podcast transcript pages in an unintended business Wiki location.
Archiving requires Feishu app credentials and wiki permission, which can create or modify workspace content. This is expected for the stated Feishu Wiki archive feature, but it is still delegated account authority.
飞书自建应用 | Wiki 归档 | 需开通 `wiki:wiki` 权限,配置 `FEISHU_APP_ID` / `FEISHU_APP_SECRET`
Use a Feishu app with the minimum necessary Wiki access, confirm the target space ID, and avoid sharing broad tenant credentials with untrusted workflows.
Podcast transcripts selected for archiving will leave the local machine and be stored in Feishu Wiki.
The helper reads a user-specified transcript file and posts its contents to Feishu's document API. This provider data flow is disclosed and purpose-aligned, but transcripts may contain private audio-derived content.
TRANSCRIPT=$(cat "$TRANSCRIPT_FILE" ...) curl -s -X POST "https://open.feishu.cn/open-apis/docx/v1/documents/$OBJ_TOKEN/blocks/$OBJ_TOKEN/children"
Review transcript contents before archiving and ensure the Feishu Wiki space has the intended audience and retention policy.
The agent may start playback or change volume on a named Sonos speaker when asked to use this feature.
The skill exposes commands that control local Sonos speakers. This is central to the stated podcast playback purpose, but it can affect real devices on the local network.
sonos play --name "Kitchen" "https://example.com/episode.mp3" sonos volume set 20 --name "Kitchen"
Confirm the speaker name and volume before running playback commands, especially on shared networks.
Future installs may receive a different version of the Sonos CLI than the one originally reviewed.
The Sonos CLI is installed from a public Go module using @latest, so the installed code may change over time. This is a normal setup method for the declared Sonos feature, but it is unpinned.
go | module: github.com/steipete/sonoscli/cmd/sonos@latest | creates binaries: sonos
Pin dependency versions where possible, or install from a trusted, reviewed version before using the skill.