ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Weryai Podcast Generator

v0.1.2

Generate, query, and deliver WeryAI podcasts through the official podcast generation API. Use when the user needs podcast speaker lookup, podcast text genera...

0· 91·0 current·0 all-time
by@weryai-developer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (node), and required env vars (WERYAI_API_KEY, WERYAI_BASE_URL) align with a client that calls WeryAI podcast generation endpoints. The included scripts map cleanly to the declared intents (speakers, submit-text, generate-audio, status, wait).
Instruction Scope
SKILL.md limits actions to listing speakers, submitting text, triggering audio, and polling for status. The code additionally supports uploading local files (resolvePublicUrlFromSource / uploadLocalFileToPublicUrl) — which will read local files and POST them to the configured WeryAI upload endpoint. This is reasonable for a media-generation client, but SKILL.md does not prominently call out local-file reads/uploads or the optional WERYAI_ALLOW_INSECURE_UPLOAD toggle. If the agent is allowed to run scripts with file-path inputs, be aware files can be read and uploaded to the API base URL (or to an overridden base URL if set).
Install Mechanism
No install spec — this is instruction/code-only and does not download remote archives or run an installer. All code is included in the package; no external install URLs or extract operations are present.
Credentials
The primary credential (WERYAI_API_KEY) and base URL are appropriate and expected. The package also reads an undocumented environment variable WERYAI_ALLOW_INSECURE_UPLOAD (to suppress a warning when uploading to a non-official domain) and uses ctx.* settings like requestTimeoutMs or verbose; these are typical but worth knowing. No unrelated high-privilege credentials are requested.
Persistence & Privilege
always:false and normal autonomous invocation settings. The skill does not request permanent platform-wide elevation or modify other skills. It only operates within its own scripts and runtime context.
Assessment
This skill appears to be what it says: a Node-based client for the WeryAI podcast API. Before installing, note: (1) you must provide a WERYAI_API_KEY (and optionally WERYAI_BASE_URL); keep that key secret. (2) Running submit-text/generate-audio/wait may consume paid credits. (3) The code can read local file paths you supply and upload those files to the configured base URL — do not pass sensitive files or allow the base URL to be overridden to an untrusted host. (4) There is an undocumented env var WERYAI_ALLOW_INSECURE_UPLOAD that, if set, suppresses warnings about non-official upload domains; do not set it unless you trust the endpoint. Use dry-run first (scripts support --dry-run) to verify request shapes and avoid unintended spending.
scripts/vendor/weryai-core/upload.js:147
Environment variable access combined with network send.
!
scripts/vendor/weryai-core/upload.js:131
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e7c5yhs942a4bhnjh8kqcs183h79v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎙️ Clawdis
Binsnode
EnvWERYAI_API_KEY, WERYAI_BASE_URL
Primary envWERYAI_API_KEY

Comments