ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Daily Report (HuangYang)

v2.0.0

Generate structured daily reports for the user, summarizing completed tasks, ongoing work, pending items, and notable notes. Use when user asks for daily rep...

0· 29·0 current·0 all-time
by@nopedijah
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description match the instructions: generating daily reports by using memory and project files is coherent. However, the skill declares no required config paths or explicit permission to access files, yet the instructions rely on reading/writing memory/YYYY-MM-DD.md and project files (TODO.md, PROJECTS.md). That mismatch is a design/visibility issue.
!
Instruction Scope
SKILL.md explicitly instructs the agent to read today's and yesterday's memory files, recent conversation history, and project files, and to update memory files with the generated report. Those are file read/write operations that touch persistent state. Because the skill is instruction-only and no file-access scope is declared, it may access broader local content than the user expects; the write/update step increases risk (persistent changes).
Install Mechanism
No install spec and no code files (instruction-only). This is lower-risk from an install/execution standpoint since nothing arbitrary is downloaded or written during installation.
Credentials
The skill requests no environment variables or external credentials (appropriate). But it depends on local files for input/output; that dependence should be explicitly declared (config paths or permissions). Lack of declared file paths makes it unclear what data the skill will read.
Persistence & Privilege
always:false (not forced into every agent run) and autonomous invocation allowed (normal). The instruction to 'Update memory files with the generated report' implies the skill will write persistent data to the agent's memory store or disk — a legitimate feature for this purpose but one that grants persistence and should be explicit to the user.
What to consider before installing
Before installing, ask or verify: (1) where 'memory/YYYY-MM-DD.md' and project files live (path and access scope) and confirm you are comfortable with the agent reading them; (2) whether the skill will actually write/update memory files and where those writes go; (3) limit the skill's file access to a specific folder or run it in a sandbox/isolated workspace for testing; (4) ensure no secrets or sensitive data exist in the referenced project files or memory; (5) request the skill author to declare required config paths/permissions in metadata so file access is explicit. Because this is instruction-only, the SKILL.md content is the authority — review it and test with non-sensitive data first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e85a9vaqs0g7k5j7gqkg5zd8416kj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments