podcast-generation

[Skill Scanner] Instruction directing agent to run/execute external content The skill's stated purpose and requested credentials are consistent with a TTS-based podcast generator, but the explicit instruction to not read or inspect the generate.py implementation, combined with missing details about network endpoints and lack of integrity checks, makes this skill suspicious from a supply-chain perspective. The credentials requested (Volcengine TTS) are proportionate, but because the implementation is hidden, there is a non-trivial risk that user data or TTS credentials could be routed to unintended third parties. Recommend: treat as SUSPICIOUS until the generate.py script is inspected or network calls are audited; do not provide Volcengine credentials or run the pipeline in a privileged environment until verification. LLM verification: SUSPICIOUS — The skill's stated functionality (text -> podcast MP3 + transcript) is legitimate and plausible, but the documentation contains strong procedural red flags: it instructs callers not to inspect the bundled generator and mandates an opaque, single-step execution. Those instructions materially increase supply-chain risk because the generator, when executed with the caller’s privileges, could read local secrets or exfiltrate data to remote hosts. No direct indicators of malware exist in