ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Daily Dev Agentic

v0.5.3

daily.dev Agentic Learning - continuous self-improvement through daily.dev feeds. Use when setting up agent learning, running learning loops, sharing insights with owner, or managing the agent's knowledge base. Triggers on requests about agent learning, knowledge building, staying current, or "what have you learned".

0· 1k·3 current·3 all-time
by@idoshamun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and required credential (DAILY_DEV_TOKEN) align with using the daily.dev API. No unrelated env vars or binaries are requested.
!
Instruction Scope
SKILL.md tells the agent to run entirely autonomously ('No confirmations. No hand-holding.'), create and configure feeds, follow/unfollow tags, fetch full articles (web_fetch) from arbitrary URLs, and write persistent notes to memory/. It does not specify how 'sharing with owner' is performed. The autonomy plus network fetches and persistent writes increase the chance of unexpected actions or data exposure.
Install Mechanism
No install spec or code is included (instruction-only), so nothing is downloaded or written to disk by the skill installer itself — low install risk.
Credentials
Only DAILY_DEV_TOKEN is required, which is appropriate. The README warns not to send the token outside api.daily.dev. Confirm the token scope/permissions (use the least-privileged token possible) and verify daily.dev offers token revocation/logging.
!
Persistence & Privilege
always:false (not force-included) but the skill explicitly directs the agent to schedule crons, update memory files, and run without owner confirmations. Autonomous invocation combined with unsupervised changes to memory and automatic sharing increases blast radius of any misconfiguration or misuse.
What to consider before installing
This skill is coherent with its daily.dev purpose, but it asks the agent to operate fully autonomously (create feeds, follow tags, fetch and store articles, and share findings) without confirmations. Before installing: 1) Confirm how 'share with owner' will be delivered (chat message, email, external API) and whether you’re comfortable with that channel. 2) Use a least-privileged or revocable DAILY_DEV_TOKEN and check daily.dev logs for activity. 3) Consider requiring manual approval for actions that change feeds/tags or send alerts. 4) Review where the skill will store memory/notes (filesystem or service) and whether that may expose sensitive context. 5) If you want safer behavior, ask the skill author to make follow/unfollow, feed creation, and sharing explicit approvals (or add a confirmation step) and to document exactly where alerts go. If unsure, run in a sandboxed environment and monitor API usage before granting broad access.

Like a lobster shell, security has layers — review code before you run it.

latestvk9758v6w1t5dycvg6p975zvw5n813r64

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvDAILY_DEV_TOKEN
Primary envDAILY_DEV_TOKEN

Comments