Morning Briefing
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: morning-briefing Version: 1.0.0 The skill is classified as suspicious due to its use of sensitive capabilities, specifically reading a credential file (`~/.config/notion/api_key`) and performing network requests to an external API (`api.notion.com`) using that key, as seen in `scripts/generate-briefing.sh`. While these actions are plausibly needed for the stated purpose of integrating with Notion, handling API keys directly from files and making external network calls are inherently risky capabilities that warrant a 'suspicious' classification, even without clear evidence of malicious intent like exfiltration to an unauthorized endpoint.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill may cause the agent to use a local Notion API credential that the user was not clearly told would be accessed.
The script reads a local Notion API key file, but the registry metadata declares no primary credential and no required config paths.
NOTION_KEY=\\$(cat ~/.config/notion/api_key)
Declare the Notion credential and config path explicitly, explain the token scope needed, and require the user to opt in before using the credential.
The skill may fail or behave differently depending on local tools and environment setup, and it sends a Notion database query to Notion’s API.
The skill uses local command-line tools and an external API call to assemble the briefing. This is purpose-aligned, but the required binaries and runtime expectations are not declared.
remindctl today --plain ... curl -s -X POST "https://api.notion.com/v1/databases/$notion_db/query" ... jq -r
Document required binaries, expected local permissions, and the exact Notion database query behavior.
Private reminders and task information could be saved into persistent agent memory or vault storage without clear boundaries.
The README indicates the workflow may write to a vault, but the skill description only says 'vault storage' and does not define what data is stored, how long it is retained, or how users approve or remove it.
Triggers remindctl today + Notion query + vault_add_note.
Clarify whether vault_add_note is used, what content is saved, require explicit user approval for each write, and provide deletion or retention guidance.