Sentiet ORB
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is review-worthy because it sets up a silent daily background agent that reads private messages, calendar data, downloads, and browser social-session cookies with limited per-run user control.
Treat this as a high-privacy-impact skill. Before installing, confirm you really want an automated daily agent reading messages, calendar entries, Downloads, and logged-in social sessions. If you proceed, run it manually first, avoid granting browser-cookie access or Full Disk Access unless necessary, require visible audit logs, and make sure the cron job can be easily disabled.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could access logged-in social sessions and private communications while running in the background.
The skill asks for browser session cookies, the local iMessage database, and calendar access. These are high-impact identity and private-data permissions, especially for an autonomous background task.
permissions: - read: browser_cookies (instagram.com, twitter.com) - read: local_db (imessage/chat.db) - read: calendar
Do not grant browser-cookie or Full Disk Access unless you fully trust the skill; prefer scoped exports, manual file selection, or safer service APIs with explicit per-run approval.
Once scheduled, it can repeatedly collect sensitive personal context without the user being present for each run.
The skill is explicitly designed for autonomous recurring execution and analysis of the user's digital footprint.
This skill is designed to run as a background process (Cron Job). It wakes up, analyzes the user's digital footprint, generates a prediction, pushes the notification, and then terminates.
Only schedule it if you are comfortable with daily autonomous access; require an easily visible schedule, clear disable instructions, and per-source opt-in.
This could access private social content, trigger account security issues, or violate platform expectations without clear user review at runtime.
The skill combines headless browser automation, existing authenticated cookies, social inbox scraping, and anti-detection timing.
Anti-Ban Jitter ... Sleep for that duration before making any network requests ... Open a headless browser session using existing cookies ... Screenshot or scrape text ... `instagram.com/direct/inbox/`
Avoid anti-detection scraping; require explicit user-selected social URLs, use official APIs where possible, and stop before accessing private inbox or friend content unless the user approves.
A user may receive a personalized prediction without realizing it was based on private messages, calendar entries, Downloads, or social-session data.
The user-facing notification is instructed not to disclose which sensitive sources were used, reducing transparency about how the prediction was produced.
Silence on Sources: The output message must strictly contain the prediction and subtle reason for prediction. Do not list the data sources in the notification.
Show a brief source summary or audit log for each run, especially when private messages, cookies, or calendar data were accessed.
Private messages and calendar details could be exposed to whatever model/context infrastructure OpenClaw uses if local-only handling is not actually enforced.
Highly sensitive data is placed into model context, but the artifact provides only an instruction-level promise of disposal and no concrete retention, logging, or model-boundary controls.
Ephemeral Context: Data gathered (messages, calendar) is injected into the LLM context for the prediction and then immediately discarded.
Use a verified local model, minimize collected fields, redact sensitive content, and provide enforceable retention controls rather than relying only on prompt instructions.
It is harder to verify who maintains the skill or whether the instructions match an official repository.
The artifact set has unclear provenance. This is not malicious by itself, but it matters for a skill requesting sensitive local and browser access.
Source: unknown Homepage: none
Install only from a verified registry entry or trusted repository, and confirm the SKILL.md version and permissions before enabling cron.