Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Daily Recap
v1.0.0Generate a daily recap/summary of all agent activity and save it to Obsidian. Use when asked to do a daily recap, end-of-day summary, or when a cron job fire...
⭐ 0· 46·0 current·0 all-time
byNew Age Investments@newageinvestments25-byte
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Reading memory/YYYY-MM-DD.md and writing vault/daily-recap/YYYY-MM-DD.md is coherent with a daily recap skill. However, the optional step to "read recent Discord messages" is not justified by the skill's declared requirements (no Discord credentials or config paths are requested), creating a mismatch between purpose and requested capabilities.
Instruction Scope
The SKILL.md explicitly instructs the agent to 'scan the guild channels for today's messages' if the memory log is sparse. That is broad and vague (which guilds/channels? what timeframe? what filters?) and grants the agent discretion to access external chat data. The instructions also require quoting user requests verbatim (privacy risk) and auto-detecting tags, which may cause sensitive content to be written into the Obsidian vault.
Install Mechanism
This is an instruction-only skill with no install steps and no code files. No files will be written to disk by an installer, so install risk is low.
Credentials
The skill declares no required environment variables or credentials, yet its instructions imply access to Discord (which would normally require a token/API credentials). This mismatch is a red flag: either the skill will fail when asked to scan Discord, or it expects undocumented credentials/permissions, which is disproportionate and risky. Writing journal entries to a vault and appending to memory are expected, but users should note these files will be modified.
Persistence & Privilege
always is false and the skill does not request persistent or platform-wide privileges. The skill suggests running via cron, which is a normal usage pattern and does not on its own raise privilege concerns.
What to consider before installing
Before installing or enabling this skill: 1) Confirm whether the agent is legitimately allowed to read Discord messages. The SKILL.md asks the agent to "scan guild channels" but the skill declares no Discord credentials — ask the author to explicitly declare required tokens and the exact guilds/channels and scope. 2) Understand file writes: the skill will create/modify files under vault/daily-recap/ and append to memory/YYYY-MM-DD.md; ensure those paths are correct and you’re comfortable storing summaries there (they may include verbatim user requests). 3) If you do not want external chat data included, request the author remove the Discord step or make it opt-in with explicit credential fields. 4) Prefer an updated SKILL.md that lists required env vars (e.g., DISCORD_TOKEN or similar) and documents privacy implications and channel scope; lacking that, treat the Discord-reading behavior as an unresolved security/privacy risk.Like a lobster shell, security has layers — review code before you run it.
latestvk972snhyqfx8wjhyvbx3rb4gj183xqeb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.