Fulcra Morning Briefing
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: fulcra-morning-briefing Version: 1.0.0 The skill bundle is benign. Its purpose is to collect biometric and calendar data from the Fulcra API and weather data from wttr.in to compose a personalized morning briefing. All network calls are directed to the legitimate Fulcra API (`api.fulcradynamics.com`) and the well-known weather service `wttr.in`. Authentication involves a standard OAuth2 device flow, with the access token stored locally in `~/.config/fulcra/token.json`. The `SKILL.md` instructions for the AI agent are clear, aligned with the stated purpose, and include explicit privacy warnings, showing no evidence of prompt injection or attempts to subvert the agent's behavior. The use of `curl` in `SKILL.md` and `collect_briefing_data.py` is limited to fetching weather data, and there are no signs of data exfiltration, malicious execution, persistence, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to that token file while it is valid may be able to access sensitive Fulcra data for the account.
The skill stores a Fulcra OAuth access token locally so later runs can access the user's Fulcra account data.
"access_token": api.fulcra_cached_access_token ... with open(TOKEN_FILE, "w") as f: json.dump(token_data, f, indent=2)
Only authorize this skill if you trust the local agent environment; protect or delete ~/.config/fulcra/token.json when not needed, and revoke/re-authenticate if the token may have been exposed.
Private health and schedule details can enter the agent's working context and any logs or transcripts associated with the interaction.
The collector intentionally places biometric, sleep, calendar, and weather/location data into JSON for the agent to read.
Pulls sleep, HR, HRV, calendar from Fulcra API + weather from wttr.in. Outputs structured JSON for an agent
Use this only in agent environments where you are comfortable sharing health and calendar context; avoid forwarding the raw JSON or briefing transcript unnecessarily.
The weather provider may learn the location or city used for the briefing.
The weather feature uses an external weather endpoint and sends the chosen city/location as part of the request.
Weather (via wttr.in — no API key needed) ... curl -s "wttr.in/YOUR_CITY?format=j1"
Use a coarse location, such as city rather than exact address, or adapt the skill to use a weather provider you trust.
Future or unintended versions of the dependency could behave differently from the version the skill author expected.
The setup relies on an external Python package without a pinned version in the artifact instructions.
pip3 install fulcra-api
Install the package from a trusted source and consider pinning a known-good version in controlled environments.