ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Morning Brief

v1.0.1

Delivers a daily 7 AM CDT briefing with local weather, one key healthcare revenue insight, Pittsburgh sports updates, and seasonal fantasy baseball news.

0· 65·1 current·1 all-time
by@j3m2b
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill advertises weather, RCM news, sports, and fantasy updates. The bundled email_briefing.py reads a Gmail inbox via IMAP and summarizes messages — functionality not mentioned in SKILL.md and not justified by the described brief.
!
Instruction Scope
SKILL.md runtime instructions never mention reading email. The code accesses mailbox contents and prints summaries; if the agent includes those summaries in the scheduled 'announce' delivery to a Discord channel, that could leak private email content. The code also expects env vars not declared in the manifest.
Install Mechanism
No install spec (instruction-only). No external downloads or archive extraction. Risk comes from included code file, not from an installer.
!
Credentials
email_briefing.py reads GMAIL_EMAIL and GMAIL_APP_PASSWORD from environment but requires.env lists none. Requesting a Gmail app password is high-privilege and disproportionate to the stated skill purpose; storing such credentials (comment references ~/.openclaw/.env) increases exposure.
Persistence & Privilege
always is false and the skill is not force-installed. However, the cron config will schedule an automated daily job that announces output to Discord — combining automated runs with undeclared Gmail access raises the blast radius if the code is executed.
What to consider before installing
Do not install this skill until the author clarifies or fixes it. Specific actions to consider: 1) Ask the publisher why email access is included and require that they either remove email_briefing.py or explicitly document and justify GMAIL_EMAIL and GMAIL_APP_PASSWORD in the manifest. 2) If email access is needed, require least-privilege controls (use a dedicated, limited Gmail account and an app password that can be revoked). 3) Confirm where outputs will be posted — the cron shows a Discord announce; ensure private inbox summaries are not posted to public channels. 4) Request a code review or remove the file; ensure required env vars are declared so you can make an informed decision. 5) If you must test, run in an isolated environment and do not use real credentials or production inboxes.

Like a lobster shell, security has layers — review code before you run it.

latestvk97es22mzbftp96qaktfmk3tfn83jfd4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments