ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

morning-briefing

v1.0.1

Aggregates weather, game updates, and concert data into a daily markdown briefing. Triggered by 'morning briefing', 'daily briefing', 'run my briefing', 'wha...

0· 193·0 current·0 all-time
byPat Fitzner@patfitzner
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the scripts use curl and jq to fetch weather and format JSON files into data/briefing.md. The declared required binaries (curl, jq) are appropriate. One minor mismatch: SKILL.md references assets/templates/<source-id>.jq and external source templates, but the packaged file list contains no assets/templates directory or templates — the skill therefore expects external templates/data provided by other skills or by the user.
Instruction Scope
Runtime instructions are limited to initializing a JSON config, reading that config, aggregating local JSON files (data_path entries), calling wttr.in for weather, running jq templates, and writing the markdown output. The SKILL.md explicitly instructs the agent to present the generated markdown verbatim. This is coherent for an aggregator, but worth noting: the content presented verbatim can include anything contained in the JSON sources the config points to. If the config or sources point to sensitive files, those contents could be exposed when the briefing is presented.
Install Mechanism
Instruction-only skill with no install spec; scripts are included as plain shell files. No downloads or archive extraction are performed by the skill itself.
Credentials
The skill requests no credentials or special environment variables. It reads the user's HOME to locate ~/.openclaw/config and writes to the skill's data/ directory — this is proportional to its purpose.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills or system-wide settings. It only writes its own config at ~/.openclaw/config/morning-briefing.json and its own output file.
Assessment
This skill appears to do exactly what it says: combine weather from wttr.in and JSON files produced by other skills into a markdown briefing. Before installing or running it, review the following: (1) Inspect the config at ~/.openclaw/config/morning-briefing.json — ensure data_path entries point only to trusted JSON files (do not point to system or secret files). (2) The package as provided does not include assets/templates — templates must come from other skills or you must supply them; a malicious template could alter output, so only use templates you trust. (3) The agent is instructed to present the generated markdown verbatim — any sensitive content present in the aggregated sources will be revealed exactly as-is. (4) The scripts are plain shell; if you plan to run them, review scripts/init_config.sh and scripts/morning_briefing.sh yourself or run them in a safe environment first. If you want to be extra cautious, run the briefing script after setting weather.enabled=false and disabling untrusted sources so it only includes data from known, safe files.

Like a lobster shell, security has layers — review code before you run it.

latestvk97etqk8wma41b76qdkyh7162h82qgf7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌅 Clawdis
OSLinux · macOS
Binscurl, jq

Comments