matter-day-reminder
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a coherent local birthday/anniversary reminder assistant, with the main things to notice being local storage of personal contact details and optional email credentials.
This appears reasonable to install if you are comfortable keeping personal reminder data in local Markdown files. Before using it, choose a private data directory, be cautious about what personal notes you store, avoid committing the directory or email config to Git, and use a scoped app password if you enable email fallback.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your friends' and family's dates, interests, and private notes may be stored in readable local files and reused by the assistant for future reminders.
The skill stores persistent personal context, including contacts, birthdays, anniversaries, relationship details, interests, and notes, for later reminder and message generation.
- **本地存储**:所有数据以 Markdown + YAML Frontmatter 格式存储在本地
Keep the reminder-data directory private, avoid storing highly sensitive notes, and consider encryption or a private backup location if the machine is shared.
If you enable email fallback, a local configuration file may contain a usable email app password.
The documentation shows an optional email fallback that may require storing an SMTP username and app password in a local config file.
email:\n smtp_host: "smtp.gmail.com"\n smtp_port: 587\n username: "your-email@gmail.com"\n password: "your-app-password"
Use an app-specific password with minimal scope, do not commit config.yml to Git or shared storage, and prefer environment variables or a secret manager if available.
Installing the helper dependencies brings in third-party npm packages, which is normal here but still part of the trust boundary.
The helper scripts rely on npm packages for YAML parsing and lunar calendar conversion; this is expected for the skill, and the included lockfile provides pinned versions and integrity hashes.
"dependencies": {\n "js-yaml": "^4.1.1",\n "lunar-javascript": "^1.7.7"\n }Install dependencies from the included lockfile where possible, such as with npm ci in the scripts directory, and avoid replacing the lockfile with unreviewed updates.