Back to skill
Skillv1.0.2
ClawScan security
Morning Briefing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 13, 2026, 12:24 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are consistent with a local macOS CLI that builds a morning briefing, but verify the npm package provenance and any license/permission handling before installing.
- Guidance
- This skill appears coherent: it expects a local 'briefing' CLI that reads local calendar/reminders, RSS, and weather. Before installing, verify the npm package author and inspect the package (npm view / fetch the tarball and review contents) to ensure it doesn't exfiltrate data. Confirm how 'briefing activate <license-key>' stores the key (file, keychain) if you need to provide one. Grant macOS calendar/reminders permissions only if you trust the CLI. If you need stronger assurance, ask the publisher for a homepage/repository or request the package source to review.
Review Dimensions
- Purpose & Capability
- okName/description (local morning briefing) matches the runtime instructions which call a local 'briefing' CLI and reference calendar, reminders, weather, and RSS news — all plausible local sources for a morning briefing.
- Instruction Scope
- noteSKILL.md instructs only to run the local 'briefing' binary and use its flags; it references the config path (~/.config/morning-briefing/config.json), macOS calendar/reminders permission prompts, cron scheduling, and a license activation step. Reading local calendar/reminders and the config file is expected for this purpose, but the license activation step could involve entering/storing a secret not declared in requires.env.
- Install Mechanism
- noteInstall is an npm package (@openclaw-tools/morning-briefing) that creates the 'briefing' binary. An npm package install is a reasonable mechanism here, but it carries the usual supply-chain risk — package provenance and contents should be checked before installing.
- Credentials
- okThe skill declares no environment variables or credentials, which is consistent with a local-CLI-based briefing. However, the SKILL.md's 'briefing activate <license-key>' suggests optional license keys/secret entry that are not declared; users should confirm how/where such keys are stored.
- Persistence & Privilege
- okalways is false and the skill doesn't request system-wide config changes. It suggests adding a cron job via platform tooling, which is appropriate for scheduled briefings and within scope.