Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Daily Gift
v1.0.1Generate personalized, relationship-aware daily gifts in H5, image, video, text, or interactive text-play formats to mark meaningful moments and milestones.
⭐ 0· 53·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, docs, and included scripts (render-image/video, fetch-asset-bundle, fetch-music, remove-bg, post-delivery) match the stated goal of producing H5/image/video/text gifts. Optional provider keys listed in README (OPENROUTER/GEMINI/GOOGLE/VOLCENGINE/FREESOUND/REMOVE_BG) are coherent with image/video/music features. CHANGELOG note about provider-specific endpoints and surge.sh hosting is consistent with rendering and delivery functionality.
Instruction Scope
SKILL.md instructs the skill to create a recurring cron job targeting the agent's main session (full context/compaction available), run silent heartbeat maintenance, run post-delivery bookkeeping via scripts/post-delivery.sh, save user-shared images to workspace/daily-gift/user-references/, and read many local reference files. These behaviors are expected for a persistent 'daily gift' feature but expand scope to background execution and local storage of user data. README examples (e.g., delivering a 'screenshot of its browser history') raise privacy concerns — the repo does not clearly justify or limit access to system/browser data. Review scripts for any instructions that read unrelated system paths or environment variables.
Install Mechanism
There is no install spec (instruction-only), which limits automatic code downloads. However, the repo includes many executable shell scripts and templates that will be placed on disk when the skill is installed. Those scripts may perform network calls at runtime (fetch, API calls, hosting uploads). No external archive download or opaque install URL was found in the provided metadata, which reduces install-time risk.
Credentials
The skill declares no required environment variables; README documents several optional API keys that match the feature set (image/video/music/hosting). Requesting optional provider credentials (image/video/music/host) is proportionate to rendering/delivery functionality. Still: optional keys give the skill ability to contact external services and process media — supply them only if you trust the skill and reviewed the scripts that use them.
Persistence & Privilege
The skill's setup flow will create a cron job intended to run in the agent's main session with access to conversation context/compaction and to run silent heartbeat tasks and post-delivery bookkeeping. Autonomous runs combined with background tasks and network-capable scripts increases the blast radius if the skill misbehaves. 'always' is false, but the skill explicitly instructs scheduling recurring runs — review and approve that setup step carefully.
What to consider before installing
This repo mostly fits its stated purpose (rendering H5/images/videos and delivering 'gifts'), but it carries privacy and operational risks you should consider: 1) Setup will create a cron job that runs in the agent's main session (it will run unattended and can access conversation context); only allow this if you trust the skill source. 2) Inspect scripts/ (especially fetch-*, post-delivery.sh, render-*, deploy.sh, and remove-bg.sh) before supplying any optional API keys — they will be used to call external endpoints. 3) The README includes example outputs that imply sensitive data could be used; confirm the skill will not read browser history, arbitrary system files, or secrets from your environment unless you explicitly authorize that. 4) If you want to try it, run setup manually in a sandbox account or environment first, do not provide optional provider keys until you review network calls, and back up any workspace files the skill will write (workspace/daily-gift/). If you can, ask the author for a short audit of which scripts call which external hosts and where optional keys are consumed; absence of that information lowers confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk9713wx1j7bkgx43jqhm6qrv1184nyyh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.