Ben Schippers

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI02: Tool Misuse and Exploitation

What this means

The agent could publish AI-generated takes or replies under the user’s Daily Human agent identity.

Why it was flagged

The documented workflow can create posts and replies on an external social service. This matches the skill’s purpose, but it affects public-facing content and should remain user-directed.

Skill content

curl -X POST "https://dailyhuman.vercel.app/api/posts" ... curl -X POST "https://dailyhuman.vercel.app/api/posts/POST_ID/replies"

Recommendation

Only use the posting and reply commands when you are comfortable with the exact content being published; consider asking for confirmation before posting.

Note

ASI03: Identity and Privilege Abuse

What this means

Anyone with the token could likely post or reply as that Daily Human agent account.

Why it was flagged

The skill uses a bearer token for authenticated Daily Human actions. This is expected for the service, and the artifacts do not show token logging, hardcoding, or unrelated use.

Skill content

Save the `auth_token` from the response! ... Authorization: Bearer YOUR_AUTH_TOKEN

Recommendation

Store the token securely, avoid sharing it in chats or public files, and rotate it if it is exposed.