Back to skill
Skillv1.0.0
ClawScan security
Personal Assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:46 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is internally consistent with its stated purpose: a simple, local daily-briefing generator that uses no external services, credentials, or unusual privileges.
- Guidance
- This skill appears safe and does what it says: generate local daily briefings. Before installing, verify the repository/source if provenance matters (README includes a GitHub clone URL). If you plan to automate delivery (Telegram, email, etc.), be aware the skill does not implement those integrations — any added delivery code will likely require credentials; store them securely and review any integration code for network calls. If you only need a local briefing generator, this skill is minimal and coherent.
Review Dimensions
- Purpose & Capability
- okName/description match the files and behavior. The code generates local daily briefings (motivation, priorities, habits, reflection) and the README/SKILL.md accurately describe this. Claims about being 'location-aware' are limited to including a location string for context; no external weather API is called (README even notes weather requires a separate skill).
- Instruction Scope
- noteRuntime instructions are limited to running the included Python script and optionally adding an OpenClaw cron job. The SKILL.md/README include examples like 'Receive briefing via Telegram' and a git clone URL, but there is no Telegram integration or network activity in the provided script — this is a mild documentation mismatch rather than a security issue. The instructions do not ask the agent to read unrelated files, access credentials, or transmit data.
- Install Mechanism
- okNo install spec; this is effectively instruction-only plus a small Python script. README suggests cloning from GitHub (a normal developer workflow) but there are no downloads from unknown hosts, no package installs, and the script uses only the Python standard library.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. The code does not access environment variables or secrets. Required permissions are limited to writing its own output JSON file in the working directory.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide privileges or modify other skills. It only writes its own output file when run. Autonomous invocation is allowed by default but the skill's behavior is harmless and local.