功能描述

Generate and publish a dual-host daily podcast. Fetches news, generates a conversational script between two hosts, synthesizes audio via Fish Audio or Edge T...

使用说明 (SKILL.md)

Dual-Host Daily Podcast Generator

Name: Dual-Host Daily Podcast Generator
Author: dz1922

Automated daily podcast with two AI hosts. Generates text brief + dual-voice audio, publishes to RSS, delivers via messaging.

Concept

Format: Two hosts — one explains/analyzes, the other asks and transitions
Duration: Configurable, default ~7 minutes
Style: Casual, opinionated, conversational — like two friends chatting about the news
Topics: Customizable (default: AI/Tech, Stocks, Macro, Crypto)

Architecture

Fetch News → Text Brief → Dual-Voice Script → TTS Audio → S3 Upload → RSS Update → Deliver

Configuration

Set these in your environment:

Variable	Description
`S3_BUCKET`	S3 bucket name
`PODCAST_DOMAIN`	Custom domain or S3 URL
`FISH_API_KEY`	Fish Audio API key (https://fish.audio)
`FISH_VOICE_A`	Fish Audio voice ID for Host A
`FISH_VOICE_B`	Fish Audio voice ID for Host B

Step 1: Fetch News

Use web_fetch to scrape sources in parallel. Default sources:

https://news.ycombinator.com/ — Tech
https://www.coindesk.com/ — Crypto
https://techcrunch.com/category/artificial-intelligence/ — AI
https://finance.yahoo.com/ — Markets

Customize sources to match your podcast topic.

Step 2: Generate Text Brief

Organize news into sections with emoji headers:

☀️ Daily Brief | Mar 3, 2026

━━━━━━━━━━━━━━━━━━

🤖 Tech / AI

① Headline
→ One-line take

━━━━━━━━━━━━━━━━━━

📈 Markets

① Headline
→ One-line take

━━━━━━━━━━━━━━━━━━

🎯 Key Takeaway
Summary paragraph

Step 3: Generate Dual-Voice Script

Rewrite the brief as a dialogue. Prefix each line with speaker tag:

HostA: Welcome to today's episode...
HostB: Some big stories today...
HostA: Right, let's start with...

Guidelines:

Host A: Explains and analyzes, knowledgeable but casual
Host B: Asks, transitions, reacts
Substantial turns, not one-liners
Include analysis and discussion, not just headlines
End with a lighter topic + sign-off

Step 4: Generate Audio

Fish Audio (recommended — natural, multi-voice):

python3 scripts/fish_dual_tts.py \x3Cscript.txt> \x3Coutput.mp3>

Parses speaker tags, sends each segment to Fish Audio, concatenates into final MP3.

Edge TTS (free fallback, single voice):

edge-tts --voice en-US-GuyNeural --rate "+5%" --file script.txt --write-media output.mp3

Step 5: Publish

bash scripts/generate_episode.sh \x3Cdate> \x3CEP-number> \x3Ctitle> \x3Cdescription> \x3Cmp3-file>

What it does:

Upload MP3 to S3
Get actual duration via ffprobe
Insert \x3Citem> into RSS feed (newest first)
Update \x3ClastBuildDate>

Step 6: Deliver

Send text brief + audio via your preferred channel (Telegram, Discord, Slack, etc.)

RSS Feed

See references/rss-format.md for XML template.

Key rules:

\x3Citunes:duration> = actual duration from ffprobe (never hardcode)
\x3Cenclosure length> = actual file size in bytes
\x3Citunes:owner> with email for Apple/Spotify verification
Cover: 3000x3000 JPEG minimum

Hosting Options

Option	Notes
S3 + Cloudflare Worker	Free HTTPS, recommended
S3 + CloudFront	Native AWS
Any static host	Just serve MP3 + feed.xml

Cron (OpenClaw)

openclaw cron add --task "Generate daily podcast" --cron "0 8 * * *" --tz "Your/Timezone"

Dependencies

python3 + requests — Fish Audio TTS
ffmpeg / ffprobe — Audio processing
aws CLI — S3 upload
edge-tts (optional) — Free fallback TTS

安全使用建议

This skill appears to implement what it claims, but it has multiple inconsistencies and sloppy defaults you should fix before using in production: 1) Metadata incorrectly claims no required env vars — treat S3 credentials and the Fish Audio API key as required secrets. 2) fish_dual_tts.py contains hard-coded placeholder API_KEY and VOICE IDs instead of reading FISH_API_KEY / FISH_VOICE_A / FISH_VOICE_B from the environment; update the script to read credentials from env vars and never commit real keys into code. 3) The script parser and the documentation use different speaker formats ([HostA] vs HostA:); reconcile them so TTS segments are parsed correctly. 4) generate_episode.sh uses the aws CLI and whatever AWS credentials are present on the machine; run this only with an IAM user/role that has minimal S3 permissions (putObject/listObject) scoped to the podcast bucket. 5) Test in an isolated account or environment before giving it access to your real S3 or messaging channels. 6) Review web scraping targets for legal/robots constraints. If you want to proceed, require the author to: update registry metadata to declare required env vars and binaries, change code to read env vars securely, and add input validation/error handling. Absent these fixes, treat the skill as untrusted and run only in a sandbox with least-privilege credentials.

功能分析

Type: OpenClaw Skill Name: dz-podcast Version: 1.0.0 The skill bundle contains critical shell injection vulnerabilities within `scripts/generate_episode.sh`. Specifically, the `date -d "${DATE}"` command allows arbitrary command execution if the `$DATE` variable is controlled by an attacker, and the `sed` command embedding `$NEW_ITEM` is also vulnerable to injection. These flaws could lead to Remote Code Execution (RCE) if an attacker can influence the inputs (e.g., podcast title, description, or date) provided to the script, either directly or via prompt injection against the OpenClaw agent. While the overall intent of the skill (podcast generation) appears benign, these severe vulnerabilities classify it as suspicious due to the high risk of exploitation.

能力评估

⚠ Purpose & Capability

The functionality (fetch news, generate script, TTS, upload to S3, update RSS) is coherent with the name/description. However the registry metadata claims no required environment variables or binaries while the SKILL.md and included scripts clearly require S3 access, an external TTS API key (Fish Audio), ffprobe/ffmpeg, and the aws CLI. That mismatch (metadata says 'none' but the runtime needs credentials/tools) is a substantive incoherence.

ℹ Instruction Scope

SKILL.md instructions stay within podcast generation/publishing scope (scrape news, create dialogue, synthesize audio, upload, update RSS). However there are practical/behavioral issues: it tells the agent to 'web_fetch' scrape several sites (reasonable for news but watch robots/terms-of-service), and references delivering via messaging without specifying endpoints. More importantly, the code expects/uses formats different from examples (script parser expects '[HostA] text' but docs show 'HostA: ...'), and generate_episode.sh edits feed.xml in /tmp then uploads — typical but relies on aws CLI and whatever credentials are present. Overall behavior is within the claimed purpose but not robust or fully specified.

✓ Install Mechanism

There is no install spec and the skill is instruction-only with included scripts — nothing is downloaded or executed at install time. This lowers supply-chain risk. Required runtime dependencies are listed in SKILL.md but not enforced by an install step.

⚠ Credentials

The skill actually needs sensitive credentials and local config (S3 bucket access via aws CLI credentials, Fish Audio API key) but the registry metadata lists 'Required env vars: none'. The included fish_dual_tts.py hard-codes API_KEY/VOICE IDs as placeholders instead of reading environment variables (SKILL.md expects FISH_API_KEY, FISH_VOICE_A/B). generate_episode.sh uses S3_BUCKET/PODCAST_DOMAIN environment variables but falls back to defaults, and will use whatever AWS credentials are configured on the host. These discrepancies mean you could accidentally expose or use the wrong credentials; required secrets are not declared and the code does not safely read them.

✓ Persistence & Privilege

The skill does not request always:true and does not modify other skills or system-wide agent settings. It runs as an on-demand tool and performs publishing actions (S3 uploads) when invoked — standard for this purpose. Autonomous invocation is allowed (platform default) but is not combined with other high-risk privileges here.

版本历史

v1.0.0

dz-podcast 1.0.0 — Initial Release - Fully automated, dual-host daily podcast generator. - Fetches news, generates conversational scripts, creates dual-voice audio (Fish Audio or Edge TTS), and publishes episodes to S3 with a valid RSS feed. - Full support for Apple Podcasts, Spotify, and other major platforms. - Highly configurable topics, sources, and delivery channels. - Built-in cron automation for daily episode creation.

元数据

Slug dz-podcast

版本 1.0.0

许可证 —

累计安装 1

当前安装数 1

历史版本数 1

常见问题