Back to skill
Skillv1.0.0
ClawScan security
Agent Daily Briefing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 5:42 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions, lack of installs, and requested resources align with a morning-briefing feature, but it will read/write your agent workspace (memory files, BRIEFING.md, optional inbox/calendar data) so review what data the agent can access before enabling automated delivery.
- Guidance
- This skill appears to do what it advertises, but before enabling automated runs: 1) Inspect BRIEFING.md and any existing memory files to ensure they don't contain secrets you don't want the skill reading or reproducing. 2) Be cautious enabling sections that require inbox/calendar access ("Inbox summary", calendar prep notes) — enable only if your agent's calendar/email integrations are intentionally connected and you trust those integrations. 3) Test with on-demand runs first ("Run my daily briefing now") before adding cron/heartbeat triggers. 4) Note the SKILL.md claim "no API setup" is optimistic — features like calendar or weather still require existing integrations/credentials on your agent. 5) The package has no source/homepage metadata in the registry entry; if provenance matters, try to verify The Agent Ledger source (the SKILL.md references theagentledger.com and a GitHub URL) before wider deployment.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: the SKILL.md describes producing and delivering a structured briefing and references calendar, tasks, weather, news, scheduling (cron/heartbeat) and channels — all consistent with the stated purpose.
- Instruction Scope
- noteInstructions direct the agent to read/write workspace files (BRIEFING.md, HEARTBEAT.md, memory/YYYY-MM-DD.md, memory/briefing-log.json) and to consult optional integrations (calendar, email/inbox, weather, web search). This is expected for a briefing skill but means the agent will access personal workspace data and possibly inbox/calendar contents if those sections are enabled.
- Install Mechanism
- okInstruction-only skill with no install spec or code files — low risk from installs. No downloads or third-party packages requested.
- Credentials
- okThe skill does not declare or require environment variables or external credentials. It refers to optional integrations (calendar, messaging channels, weather) that would need existing, platform-managed credentials, which is proportionate to its functionality.
- Persistence & Privilege
- okalways is false and the skill uses normal autonomous invocation. It reads/writes files in the agent workspace (e.g., memory/briefing-log.json) which is reasonable for logging, and it does not request elevated system-wide privileges or modify other skills' configs.