ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Byted Podcast Gen

v1.0.0

将某个话题或者网页内容总结合成为播客音频(Podcast)。基于火山引擎豆包语音播客合成协议生成最终音频。

0· 44·0 current·0 all-time
by@volcengine-skills
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (synthesize podcast audio via 火山引擎/豆包 TTS) matches the implementation: the scripts open a WebSocket to a ByteDance/Volcengine TTS endpoint and assemble received audio chunks into files. There are no obvious unrelated capabilities (no SSH, no cloud provider SDKs).
!
Instruction Scope
SKILL.md instructs running the included scripts and setting MODEL_SPEECH_API_KEY. The actual code will also attempt to use ARK_SKILL_API_KEY and ARK_SKILL_API_BASE (if MODEL_SPEECH_API_KEY is absent) to call remote APIs to list/create speech API keys and will persist any discovered/created key to a .env file under the skill's scripts directory. Those ARK env vars and the auto-create behavior are not documented in the top-level metadata and are scope-expanding (network calls to arbitrary ARK base + persistent storage of credentials).
Install Mechanism
There is no install spec; requirements.txt only lists 'websockets'. The skill is instruction+script only and will not automatically download third-party archives or install binaries. Installing dependencies uses pip per SKILL.md which is expected.
!
Credentials
The package metadata declares no required env vars, but the code requires MODEL_SPEECH_API_KEY (documented in SKILL.md) or, alternatively, ARK_SKILL_API_KEY and ARK_SKILL_API_BASE to list/create API keys. Those ARK variables are not declared in the skill metadata. Using ARK_SKILL_API_KEY/BASE can give the script permission to create API keys via the provided base URL — a higher-privilege operation and potentially disproportionate if the user did not expect the skill to manage API keys.
Persistence & Privilege
The script persists discovered/created MODEL_SPEECH_API_KEY into a .env file located next to scripts/api_key.py (scripts/.env) and sets os.environ for the current process. It does not set system-wide settings or modify other skills, and 'always' is false. Persisting keys to a local .env is potentially surprising and should be considered when running in shared environments.
What to consider before installing
This skill implements the advertised podcast TTS flow, but it will try to obtain a MODEL_SPEECH_API_KEY automatically by calling an ARK management API if that env var is not present. Before installing or running: 1) Verify you trust the skill source (source/hompepage unknown). 2) If you do not want the skill to call an external ARK API or create keys, set MODEL_SPEECH_API_KEY yourself and do not set ARK_SKILL_API_KEY/ARK_SKILL_API_BASE. 3) Be aware the script will write any found/created key to scripts/.env (it attempts to chmod 600) — treat that file as sensitive or run in an isolated environment. 4) Inspect or run the code in a sandbox or container if you are unsure, and ensure the ARK key you provide (if any) has minimal permissions. If you want to proceed, prefer supplying a pre-created MODEL_SPEECH_API_KEY rather than giving the skill an ARK management key/base URL.

Like a lobster shell, security has layers — review code before you run it.

latestvk970e497pkekfjj1j6dbdzmdbd83pk5n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments