Daily Rhythm
WarnAudited by ClawScan on May 10, 2026.
Overview
Daily Rhythm is a coherent planning skill, but it handles Google and Stripe account data, stores sensitive local memory, and uses persistent cron scripts with hard-coded local paths that should be reviewed before use.
Before installing, replace all /Users/tom paths with your own workspace, use restricted read-only credentials where possible, keep memory files private, and enable cron or messaging delivery only after confirming what data will be synced and where it will be sent.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, the skill may use a powerful Stripe secret key and read subscription/customer information from the connected Stripe account.
The Stripe sync script reads a Stripe API key from local files, including a hard-coded user-specific workspace path. Stripe credentials can expose financial/business account data, and the artifacts do not require a restricted read-only key or declare this credential in metadata.
env_paths = [
'/Users/tom/.openclaw/workspace/.env.stripe',
os.path.expanduser('~/.openclaw/workspace/.env.stripe'),
'.env.stripe'
]Use a restricted Stripe key with the minimum read-only permissions needed, remove hard-coded credential paths, declare the credential requirement, and disable Stripe syncing if ARR tracking is not needed.
Cron jobs may fail, run against the wrong workspace, or place synced personal/business data somewhere the user did not expect.
The morning brief script changes into a hard-coded personal workspace and runs account-sync scripts. This is related to the skill purpose, but the fixed path and unattended execution can make the script operate in an unintended local environment.
cd /Users/tom/.openclaw/workspace ... python3 skills/daily-rhythm/scripts/sync-google-tasks.py 2>/dev/null ... python3 skills/daily-rhythm/scripts/sync-stripe-arr.py 2>/dev/null
Replace hard-coded paths with the installing user's configured workspace path before enabling cron, and run the scripts manually once to confirm exactly what they read and write.
The automation may continue syncing account data and generating prompts until the user removes the cron jobs.
The skill explicitly recommends persistent scheduled jobs. This is expected for daily planning automation, but it means the skill can keep running after setup.
Set up cron jobs ... 0 7 * * * ... sync-stripe-arr.py ... 30 8 * * * ... morning-brief.sh
Only add the cron entries you actually want, document them, and know how to remove or pause them.
Anyone or any process with access to the workspace memory files may see synced task details and related planning notes.
The Google Tasks sync stores task titles, notes, due dates, links, and other details in a local memory JSON file. This is purpose-aligned for morning briefs, but it persists potentially sensitive personal/work information.
'title': task['title'],
'notes': task.get('notes', ''),
'due': task.get('due'),
...
output_path = os.path.join(output_dir, 'google-tasks.json')Keep the memory directory private, avoid syncing highly sensitive task lists, and define retention or cleanup for old daily notes and synced data.
Sensitive daily planning or business information could be sent to a messaging channel if the user configures that automation carelessly.
The template suggests sending briefs containing calendar, task, business, and open-loop information through messaging services. This can be useful, but the artifacts do not define recipient identity, channel security, or delivery approvals.
Send via Telegram/WhatsApp/Signal with: - ... Today's Calendar ... ARR Progress ... Tasks ... Open Loops
Use only trusted private recipients/chats, review what content will be sent, and avoid including Stripe or sensitive task data in external notifications unless necessary.
Future package changes could alter behavior or break the scripts.
The setup instructions install external Python packages without pinned versions. These dependencies are expected for Google and Stripe integrations, but unpinned installs reduce reproducibility.
pip install google-auth google-auth-oauthlib google-auth-httplib2 google-api-python-client stripe
Install in a virtual environment and consider pinning known-good package versions.