ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Daily Report Public

v1.0.0

Generate structured daily reports for the user, summarizing completed tasks, ongoing work, pending items, and notable notes. Use when user asks for daily rep...

0· 34·0 current·0 all-time
by@nopedijah
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (daily report generation) aligns with the instructions: the skill reads memory and project files and uses conversation history to build reports. Access to local 'memory/YYYY-MM-DD.md', TODO.md, PROJECTS.md is coherent with this purpose.
!
Instruction Scope
The SKILL.md explicitly instructs the agent to read today's and yesterday's memory files, project files, and recent conversation history and to 'Update memory files with the generated report'. That read/write behavior is a side effect and persistent storage operation that is not declared elsewhere. The instructions do not specify exact paths, permissions required, or safeguards for sensitive data.
Install Mechanism
No install spec and no code files are present (instruction-only), so nothing will be downloaded or written at install time. This is lower risk from an install-execution standpoint.
Credentials
The skill requests no environment variables, credentials, or config paths. That matches there being no external services or binaries required. However, the skill still expects to read/write local files even though no config paths are declared.
!
Persistence & Privilege
The skill instructs updating memory files (persistent writes) but does not declare required config paths or surface that it will modify stored data. While 'always' is false and autonomous invocation is allowed (the platform default), the persistent write behavior increases impact if the agent is invoked autonomously and should be disclosed.
What to consider before installing
This skill appears to do what it says (generate daily reports) but it reads and writes local 'memory' and project files without declaring the file paths or describing permissions and data-retention behavior. Before installing or enabling it: - Confirm where the agent's memory directory lives and whether the skill will be allowed to write there. Ask the publisher to specify exact paths used and whether writes are atomic/append-only. - If you have sensitive content in memory or project files, consider restricting the skill's file access or disabling autonomous invocation until you review behavior. - Ask whether generated reports will be stored verbatim in memory (could persist sensitive details) and whether there is any rotation, encryption, or export policy. - Because this is instruction-only, there is no external network URL in the spec, which reduces supply-chain risk — but the persistent write behavior is the main concern. Request the publisher to explicitly declare config paths and describe write safeguards; if they can't, treat the skill as higher risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dk1sjyk1cyy4sxxvdkxg6ah840bhk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments