ClawHub

Daily Briefing

Security checks across malware telemetry and agentic risk

Overview

The skill is a real daily briefing tool, but it can automatically send calendar and usage details through iMessage to a hard-coded recipient on a daily schedule.

Review before installing or scheduling. Change every recipient from paulkingham@mac.com, keep the cron job disabled until you have previewed a generated briefing, decide whether calendar events, OpenClaw skill metadata, and AI cost data should be included, and install imsg/codexbar only if you trust those tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation indicates capabilities to read local files, make network requests, and execute shell scripts, but it does not declare corresponding permissions. This creates a transparency and consent problem: users may install or schedule the skill without understanding that it accesses local calendar/config data and performs outbound requests and message delivery.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior understates what the skill appears to do: in addition to generating a briefing, it may read local OpenClaw directories, gather usage/cost data, and use a hardcoded/default recipient. Hidden or under-disclosed data collection and outbound delivery are dangerous because they can expose local metadata or sensitive personal information to an unintended destination on an automated schedule.

Context-Inappropriate Capability

Medium
Confidence
69% confidence
Finding
The daily briefing skill reaches outside its stated scope to inspect model usage and cost data through an external CLI, which can expose potentially sensitive account telemetry unrelated to the user-facing briefing. In a scheduled messaging workflow, this creates an unnecessary data-access path and could leak spending, usage volume, or model details into outbound briefings or logs.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This code hard-codes local paths to the user's OpenClaw skills and workspace areas and then inventories skill metadata by enumerating directories and reading SKILL.md files. For a 'daily briefing' feature, that creates unnecessary access to local repository/workspace information and can expose private project names, descriptions, and activity timing in the generated output, expanding the skill's data-access beyond its stated purpose.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly promotes automatic generation and scheduled delivery of briefing content to a messaging app, including iMessage and cron-based unattended sending, but does not warn users about privacy, consent, recipient verification, or the risk of sending sensitive calendar/news-derived content to the wrong destination. In this skill context, the feature is inherently side-effectful because it can transmit personal data off-process or to external messaging infrastructure on a schedule, making the omission of safeguards materially relevant rather than merely a documentation gap.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill sends calendar-derived and aggregated personal briefing content via iMessage every day, but the description lacks a clear privacy warning. Because calendar entries can contain sensitive meeting names, locations, and contacts, automatic transmission over a messaging channel increases the risk of unintended disclosure, especially if the recipient or device configuration is wrong.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The cron payload is a free-form natural-language instruction that tells the agent to change directories, run a shell script, and send the result to a specific iMessage recipient, but it does not constrain the permitted tools, expected outputs, or validation checks. In an automated scheduled context, this broad instruction increases the risk of unintended command execution, misuse of messaging capabilities, or prompt-injection-style behavior if the agent interprets the task too broadly or follows compromised downstream content.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script silently invokes multiple helper programs for weather, calendar, news, AI updates, OpenClaw insights, and cost tracking without any user-facing disclosure about network access or access to personal/local data sources. In the context of a daily briefing skill, this is more dangerous because users are likely to grant it routine execution, increasing the chance of unnoticed collection of calendar data, local usage metadata, or outbound requests to third-party services.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This code accesses the user's Calendar data via AppleScript without any user-facing disclosure, consent flow, or in-code indication that highly sensitive personal data is being collected. In the context of an automated daily briefing that aggregates and delivers information externally via iMessage, silent calendar access increases privacy risk because event titles and times may contain confidential personal or business information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code fetches BBC and Guardian RSS feeds over plain HTTP, which allows a network attacker or malicious proxy to tamper with feed contents in transit. In this skill, those headlines are later formatted into a daily briefing sent automatically to the user, so manipulated content could mislead the user, inject phishing-style text, or suppress legitimate news without any integrity check or warning.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal