MorningAI
v1.2.5Daily-scheduled AI news tracker. Collects updates from 80+ AI entities across 6 sources every 24 hours (default 08:00 UTC+8). Generates scored, deduplicated...
⭐ 0· 37·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (daily AI news tracker) aligns with required binary (python3), included collector scripts, source-specific modules (reddit, github, hackernews, huggingface, arxiv, X/Twitter via web search), and report/image generation files. The optional API keys (GITHUB_TOKEN, GEMINI/MINIMAX image keys) match the claimed features (higher GitHub rate limits, optional infographic providers).
Instruction Scope
SKILL.md tightly scopes actions to checking/creating a local config, calling the Python collector, scoring/deduplication, and optionally calling image provider APIs. It reads/writes only declared config paths (~/.config/morning-ai/.env, .env, .claude/morning-ai.env), entity markdown files, and produces date-stamped report/data files in the working directory. Note: onboarding guides the agent to collect API keys interactively and write them to disk; that is functionally necessary but increases the chance of accidental secret exposure if a user pastes credentials into an agent conversation.
Install Mechanism
No install/download steps are present (instruction-only manifest). The skill expects python3 and runs local Python scripts included in the repo; no external binaries, package downloads, or archive extraction are required by the manifest. This is low-risk from an installation standpoint.
Credentials
The skill declares no required environment variables and lists GITHUB_TOKEN and image-provider keys as optional — which matches their described uses. However the onboarding instructs creating a plaintext ~/.config/morning-ai/.env to store provided keys; storing secrets unencrypted on disk and prompting users to paste keys into an interactive flow can risk accidental leakage. No unrelated credentials (AWS, system tokens) are requested.
Persistence & Privilege
always:false and user-invocable:true. The skill writes its own config and report files under the user's home and working directory only; it does not request system-wide privileges or modify other skills. Autonomous invocation is allowed by platform default but not elevated by this skill.
Assessment
This skill appears to do what it says: collect public AI-related posts, score/deduplicate them, and write reports/images locally. Before installing: (1) Review the Python scripts (skills/tracking-list/scripts/collect.py and lib/*) if you want to audit outbound calls. (2) Prefer creating the ~/.config/morning-ai/.env file yourself (do not paste secrets into an agent chat); if you use a GITHUB_TOKEN or image-provider key, give it least privilege and rotate/delete when not needed. (3) If you run unattended scheduled jobs, consider isolating the run environment (dedicated user account or container) because reports and keys are stored on disk in plaintext. (4) If you want extra assurance, run a test with only free/public sources (create the minimal config shown in SKILL.md) before enabling optional API keys or image generation.Like a lobster shell, security has layers — review code before you run it.
latestvk97absq6q0a14zs16gggdxyjr584tpc3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📰 Clawdis
Binspython3