Back to skill
Skillv1.0.0
ClawScan security
Daily Briefing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 11:14 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with a morning briefing purpose; it is instruction-only, requests no new credentials, and relies on the agent's existing integrations and workspace files.
- Guidance
- This skill is internally consistent with its purpose, but it will read and summarize sensitive data if you enable those sources. Before installing: (1) review and control BRIEFING.md to limit sections (don’t enable 'Inbox summary' or GitHub issues unless you want the agent to access emails/repos), (2) ensure your calendar, messaging channels, and any other integrations are configured with the credentials you intend and belong to trusted services, (3) be aware the agent will write logs to memory/briefing-log.json in its workspace, and (4) test delivery in a low-risk channel before enabling cron/heartbeat for automatic daily runs.
Review Dimensions
- Purpose & Capability
- okName/description (daily briefing: calendar, tasks, weather, news, delivery) matches the instructions. The SKILL.md only asks the agent to read local configuration files (BRIEFING.md, HEARTBEAT.md, memory/*.md, optional TODO.md) and available integrations (calendar, weather, messaging channels), which are reasonable for this skill.
- Instruction Scope
- noteInstructions direct the agent to read/write workspace files (BRIEFING.md, memory/YYYY-MM-DD.md, memory/briefing-log.json) and to use configured integrations (calendar, messaging channels, optional email, GitHub issues). This is consistent with the briefing purpose but does involve access to potentially sensitive personal data (calendar entries, email summaries, task files). The skill itself does not request extra credentials, but will operate with whatever integrations the agent already has.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This minimizes disk writes and arbitrary code execution risk; nothing is downloaded or installed by the skill.
- Credentials
- okThe skill declares no required environment variables or credentials. It assumes preconfigured channels/integrations managed by the agent/platform rather than adding new secrets. This is proportionate to its stated functionality.
- Persistence & Privilege
- okalways is false and the skill does not request persistent elevated privileges. It suggests writing a local briefing-log.json and adding cron/heartbeat rules via the agent's normal mechanisms (which is expected for scheduling). Nothing indicates it modifies other skills or global agent policy.