ClawHub

Charisma Research Loop

v1.0.0

Generate daily high-signal charisma/engagement insights with a self-improving novelty loop. Use when sending recurring tips on charisma, body language, orati...

0· 295·0 current·0 all-time
byDerezar Master@dman3629
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Generating rotating, self-improving insight sets and logging them is coherent with the skill name/description. However, the SKILL.md requires reading and appending /root/.openclaw/workspace/memory/charisma-insight-ledger.md even though the skill declares no required config paths — the ledger path is not declared or justified in the metadata.
!
Instruction Scope
Instructions explicitly tell the agent to read and modify an absolute root workspace path and to send email briefs and create/update calendar events. Those file I/O and external-delivery actions extend beyond simple content generation and are not scoped or constrained in the metadata (no declared config paths, no declared delivery endpoints or credentials).
Install Mechanism
This is instruction-only with no install spec or code to write to disk, so there is no installer-related risk. The primary risk comes from the instructions themselves.
!
Credentials
The skill requests no environment variables or credentials but requires delivering emails and calendar entries — actions that normally require account access or connectors. The absence of declared credentials or explanation for how delivery will occur is a mismatch. Also, the ledger path is under /root, implying elevated workspace access.
!
Persistence & Privilege
The skill mandates appending a run log to a workspace ledger (persistent state). Writing to the agent's root-level workspace file without declaring or asking for permission expands persistence and privilege; while persisting its own run log can be legitimate, the absolute path and lack of declared authorization are concerning.
What to consider before installing
Before installing, ask the skill author to: 1) explicitly declare the config path(s) it will read/write (and explain why /root/.openclaw/... is required); 2) explain how email/calendar delivery is performed and what credentials or connectors are used (and list required env vars or integrations); 3) confirm what data is stored in the ledger and for how long; 4) prefer a skill-scoped writable path (not an absolute root path) or let you choose the ledger location; and 5) consider sandboxing or reviewing the first few ledger entries and backups before granting write permission. If the author cannot clarify these points, treat the skill as higher risk because it can read/write persistent agent memory and send external messages without declared boundaries.

Like a lobster shell, security has layers — review code before you run it.

latestvk97csj7bjph5w3wbbknd0r0y7n81znqm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments