Skills
skills/kesslerio/podcastfy-generator-openclaw-skill/podcastfy-generator/Snyk

podcastfy-generator

Warn

Audited by Snyk on Mar 11, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts and fetches arbitrary public URLs and YouTube videos (see SKILL.md/README and scripts/generate.py which passes URLs into the VENV_CODE calling podcastfy.generate_podcast), and feeds that untrusted, third‑party content into the Gemini LLM to generate dialogue and drive TTS/output, so webpage/transcript content can materially influence generation and downstream actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill fetches arbitrary, user-supplied URLs at runtime (e.g., https://example.com/article) and passes the fetched content into the podcastfy LLM pipeline (generate_podcast), which injects that external content into the model context and thus can directly control prompts/output.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 11, 2026, 12:20 PM
Issues
2