Fulcra Morning Briefing
ReviewAudited by ClawScan on May 1, 2026.
Overview
The artifacts are coherent and purpose-aligned, but the skill handles Fulcra access tokens plus private health, calendar, and location data.
Before installing, make sure you are comfortable granting Fulcra access for sleep, heart, HRV, and calendar data. Run the OAuth step yourself, protect the saved token file, use a coarse weather location if possible, and consider pinning the fulcra-api dependency.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to that token file while it is valid may be able to access sensitive Fulcra data for the account.
The skill stores a Fulcra OAuth access token locally so later runs can access the user's Fulcra account data.
"access_token": api.fulcra_cached_access_token ... with open(TOKEN_FILE, "w") as f: json.dump(token_data, f, indent=2)
Only authorize this skill if you trust the local agent environment; protect or delete ~/.config/fulcra/token.json when not needed, and revoke/re-authenticate if the token may have been exposed.
Private health and schedule details can enter the agent's working context and any logs or transcripts associated with the interaction.
The collector intentionally places biometric, sleep, calendar, and weather/location data into JSON for the agent to read.
Pulls sleep, HR, HRV, calendar from Fulcra API + weather from wttr.in. Outputs structured JSON for an agent
Use this only in agent environments where you are comfortable sharing health and calendar context; avoid forwarding the raw JSON or briefing transcript unnecessarily.
The weather provider may learn the location or city used for the briefing.
The weather feature uses an external weather endpoint and sends the chosen city/location as part of the request.
Weather (via wttr.in — no API key needed) ... curl -s "wttr.in/YOUR_CITY?format=j1"
Use a coarse location, such as city rather than exact address, or adapt the skill to use a weather provider you trust.
Future or unintended versions of the dependency could behave differently from the version the skill author expected.
The setup relies on an external Python package without a pinned version in the artifact instructions.
pip3 install fulcra-api
Install the package from a trusted source and consider pinning a known-good version in controlled environments.