daily.dev
v0.3.1Overcome LLM knowledge cutoffs with real-time developer content. daily.dev aggregates articles from thousands of sources, validated by community engagement, with structured taxonomy for precise discovery.
⭐ 3· 1.8k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description claim to integrate with daily.dev and the SKILL.md provides API endpoints and examples that match that purpose. However, the runtime examples require a daily.dev API token (and implicitly GitHub access for repo scanning) while the registry metadata declares no required environment variables or credentials — an inconsistency between claimed capability and declared requirements.
Instruction Scope
The SKILL.md instructs agents to 'scan a user's GitHub repositories' (package.json, go.mod, etc.), analyze GitHub activity, and POST updates to the user's daily.dev profile. Those actions involve reading user repositories and interacting with third-party services beyond daily.dev. The document is vague about where repos live, how GitHub access/auth is obtained, and what scope of files will be read, which could give the agent broad discretion to access user code and metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That reduces installation risk. The SKILL.md does recommend installing libsecret-tools on Linux for secret storage, but that's a user-side suggestion rather than an automatic install by the skill.
Credentials
The instructions clearly require a daily.dev API token (and recommend storing/reading it from an env var like DAILY_DEV_TOKEN), and many use-cases imply needing GitHub access/credentials. Yet the registry metadata lists no required env vars or primary credential. This mismatch means the skill as-published understates the credentials it will rely on, and it does not declare potential need for unrelated credentials (e.g., GitHub token) that agents may request at runtime.
Persistence & Privilege
always:false (default) and autonomous invocation is allowed. The SKILL.md describes scheduled digests and automated profile updates; combined with the instruction-scope concerns and undeclared credentials, autonomous runs could access and transmit user repo data or update profiles without clear guardrails. The setting itself is not unusual, but it increases the importance of the missing declarations and scope controls.
What to consider before installing
This skill appears to implement a legitimate daily.dev integration, but there are notable gaps you should address before installing:
- The README expects a daily.dev API token (dda_...) and suggests using DAILY_DEV_TOKEN, but the registry metadata lists no required env vars — treat the token as required and only provide it to api.daily.dev.
- Several examples describe scanning GitHub repositories and updating your daily.dev profile. Clarify where the agent will access repositories (local copy vs. GitHub API) and whether a GitHub token is needed. Do not grant broad GitHub scopes unless you understand and consent.
- Ask the publisher to update metadata to declare required env vars/credentials (daily.dev token, and GitHub token if needed) and to specify the minimal scopes required for those tokens.
- Prefer least-privilege tokens and store them in a secrets manager or OS credential store as suggested. Avoid pasting tokens into chats or public places.
- If you plan to enable scheduled or autonomous digests, confirm exactly what data will be collected, how often, and where summaries are delivered. Consider running the agent interactively first to see its concrete network calls.
If the publisher cannot clarify the GitHub access model and required credentials, treat the skill as higher risk and avoid installing it with wide permissions.Like a lobster shell, security has layers — review code before you run it.
latestvk975rgjr8wnach5ptbzf3mw49580ha0d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.