ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Podcastfy Clawdbot Skill

v1.0.0

Generate an AI podcast (MP3) from one or more URLs using the open-source Podcastfy project. Use when the user says “make a podcast from this URL/article/vide...

0· 52·1 current·1 all-time
bynacy@watermelon11
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and instructions: the script fetches URL(s), uses podcastfy + Gemini for LLM transcript generation and Edge TTS for audio. This capability justifies installing podcastfy/playwright and using Gemini/Edge TTS.
Instruction Scope
SKILL.md and the script instruct creating a local venv, installing podcastfy and Playwright, running Podcastfy via its Python API, writing conversation/config files, and saving transcripts/audio under the skill directory. The runtime will fetch webpage content and send it to external services (Gemini and Microsoft TTS) — expected for the stated purpose, but worth noting because user content is transmitted off-host.
Install Mechanism
There is no separate install spec, but the included script will call pip to install 'podcastfy' and 'playwright' inside a local venv and will run 'playwright install chromium' which downloads browser binaries. These are standard for this use case but involve network downloads and writing large binaries to disk (Playwright).
!
Credentials
The SKILL.md and script require GEMINI_API_KEY (and optional PODCASTFY_* env vars) but the registry metadata claims 'required env vars: none' and 'primary credential: none'. That mismatch is a red flag: the runtime will fail without GEMINI_API_KEY and the key is used to call an external LLM. Only the Gemini key is needed for functionality; no unrelated credentials are requested, but the metadata omission is inconsistent and should be corrected.
Persistence & Privilege
always:false and no system-wide config modifications are requested. The script writes a .venv and output files under the skill directory and installs Playwright browsers (cached to the environment). This is standard for such tooling, but it does create files/binaries on disk and downloads remote packages during first run.
What to consider before installing
This skill appears to be what it claims (creates MP3s from URLs using podcastfy + Gemini + Edge TTS), but take these precautions before installing or running it: - Correct the metadata: the skill requires GEMINI_API_KEY (the registry lists no env vars). Do not supply your Gemini key unless you trust the code/maintainer. - Review the included script (scripts/podcastfy_generate.py) yourself — it will pip-install packages and run Playwright, which downloads browser binaries and executes network calls. - Expect webpage text and generated transcripts to be sent to external services (Gemini and Microsoft TTS). Do not use with URLs or content that you cannot send to those providers. - Prefer running this in an isolated environment (container or VM) or on a throwaway machine to limit exposure to supply-chain risks from pip packages and Playwright downloads. - Verify the downstream 'podcastfy' and 'edge-tts' packages are the official projects and inspect their versions before use. If you want to proceed safely: run the script in a sandbox, provide a dedicated Gemini API key with limited quota, and confirm outputs on a test URL first.

Like a lobster shell, security has layers — review code before you run it.

latestvk977jz1s5sdxcrbqwjtzmgc4ns83fppy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments