morning-briefing

Security checks across malware telemetry and agentic risk

Overview

This skill builds a local morning briefing from configured data sources and weather, with limited and disclosed file and network behavior.

Install if you want a local briefing generator and are comfortable with the configured weather location being sent to wttr.in. Review ~/.openclaw/config/morning-briefing.json, disable weather if needed, and use trusted upstream data files/templates because their content may be shown verbatim in the briefing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: Trigger phrases like 'what's new today' and 'daily briefing' are broad enough to overlap with ordinary conversation, which can cause accidental invocation. Unintended execution matters here because the skill runs shell scripts, fetches remote content, reads data from other skills, and writes files, so a casual phrase could trigger side effects.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The description and usage do not prominently warn that the skill generates and writes a local markdown file, even though that is a core side effect. Insufficient disclosure can mislead users about persistence and local data handling, especially when the skill aggregates data from multiple sources into a stored briefing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal