Market Morning Brief
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If another local skill or file at that path is compromised or different from expected, running the evening brief can execute that code under the user's account.
The evening brief default scorecard path imports and executes code from a sibling skill directory rather than only reading declared cache files or package dependencies.
script_dir = Path(__file__).resolve().parents[2] / "kalshalyst" / "scripts" ... sys.path.insert(0, str(script_dir)) ... from trade_ledger import get_monthly_scorecard ... if config.get("include", {}).get("scorecard", True):Review the Kalshalyst installation before enabling the scorecard, or set include.scorecard to false until this dependency is documented and constrained.
The skill can read and display sensitive financial trading positions and unrealized P&L when configured.
The skill expects optional Kalshi API credentials/private key to fetch the portfolio section; this is aligned with the stated P&L brief purpose.
kalshi:\n enabled: true\n api_key_id: "your-key-id"\n private_key_file: "/path/to/private.key"
Use the least-privileged/read-only Kalshi key available and avoid routing generated briefs to destinations you do not trust.
If this helper is used with real portfolio output, positions or P&L could be sent to Slack or another webhook destination.
The code includes a Slack webhook notification helper capable of sending brief text to an external webhook if configured; the provided metadata does not declare this environment variable.
def _notify_slack(message: str) -> None: ... webhook_url = os.environ.get("OPENCLAW_SLACK_WEBHOOK", "") ... webhook_url = config.get("slack_webhook_url", "") ... urllib.request.urlopen(req, timeout=10)Confirm whether Slack notification is enabled, unset OPENCLAW_SLACK_WEBHOOK if not desired, and document/limit webhook use when handling account data.
Stale or tampered cache files could change the trading signals or opportunities shown in the brief.
The brief relies on persisted cache files from other skills as context for its output.
Kalshalyst → writes → .kalshi_research_cache.json\nArbiter → writes → .crossplatform_divergences.json\nXpulse → writes → .x_signal_cache.json\n\n↓ (brief reads)\n\nMarket Morning Brief → consolidates → morning_brief.txt
Keep cache paths in trusted directories, watch freshness warnings, and do not treat cached signals as authoritative trading instructions.