ClawHub

Podcastfy Clawdbot Skill

Security checks across malware telemetry and agentic risk

Overview

This skill coherently turns user-provided URLs into podcast audio, but users should understand it downloads dependencies and sends URL-derived content to external services.

Install only if you are comfortable with runtime downloads of Python packages and Chromium, use of your Gemini API key and quota, external processing of URL-derived content, and local storage of generated transcripts/audio. Avoid private or internal URLs unless those data flows are acceptable, and pin or pre-provision dependencies in stricter environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def ensure_deps() -> None:
    # Pin loosely; let pip resolve compatible versions.
    subprocess.run([str(PIP), "install", "-U", "podcastfy", "playwright"], check=True)

    # Podcastfy's website extractor may use Playwright. Ensure a browser is installed.
    try:
Confidence
86% confidence
Finding
subprocess.run([str(PIP), "install", "-U", "podcastfy", "playwright"], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Podcastfy's website extractor may use Playwright. Ensure a browser is installed.
    try:
        subprocess.run([str(PY), "-m", "playwright", "install", "chromium"], check=True)
    except Exception as e:
        raise SystemExit(f"Failed to install Playwright Chromium: {e}")
Confidence
85% confidence
Finding
subprocess.run([str(PY), "-m", "playwright", "install", "chromium"], check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and instructs use of shell execution, environment-variable access, and filesystem reads/writes, but does not declare any permissions or boundaries. That mismatch can cause the agent/runtime or user to invoke capabilities without informed consent, increasing the risk of unsafe command execution, package installation, and local data exposure.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill self-provisions a virtualenv, installs Python packages, and installs a browser at runtime, which materially exceeds a narrow wrapper role and increases attack surface. In a skill ecosystem, hidden environment mutation and tool bootstrapping are dangerous because they introduce supply-chain, persistence, and policy-bypass risks under the guise of normal task execution.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explains that the skill uses Gemini and Edge TTS, but it does not clearly warn users that supplied URLs and fetched page content may be transmitted to third-party services for processing. In a skill that ingests arbitrary user-provided links and webpage content, this omission can cause unintentional data disclosure, especially if users submit internal, sensitive, or private URLs.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger language is broad enough to match many common summarization or content-conversion requests, which can cause the skill to activate when the user did not specifically intend external fetching, local script execution, or audio generation. In this skill's context, mistaken invocation matters because it can lead to network retrieval, local environment changes, and transmission of fetched content to third-party services.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that it uses Gemini for transcript generation from supplied URLs, but it does not clearly warn that fetched content may be sent to external services for processing. Users may provide private, internal, or sensitive URLs without realizing their contents could be transmitted outside the local environment.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal