Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Daily Standup
v0.1.1每日早报聚合器。当用户询问每日汇总、standup、晨报、或工作状态总览时激活。
⭐ 0· 330·4 current·4 all-time
byPaul Leo@paul-leo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is an aggregator and only declares MORPHIXAI_API_KEY, which coheres with using a single Morphix proxy to access GitLab/GitHub/Jira/Outlook/etc. However the SKILL.md also instructs the user to install an external plugin (openclaw-morphixai) and to link multiple service accounts — these actions are outside the skill bundle itself and increase the trust surface. The lack of a homepage/source makes it harder to verify the plugin/service.
Instruction Scope
Instructions are specific: use mx_* tools to query each connected service and skip unlinked accounts. The skill does not instruct reading local files or arbitrary env vars beyond MORPHIXAI_API_KEY. However it explicitly instructs linking many third‑party accounts (OAuth/credentials) and running external tooling (mx_link, mx_gitlab, etc.), which will cause broad data access via Morphix if performed.
Install Mechanism
This is instruction-only (no install spec), so it doesn't write code itself. But it tells users to run `openclaw plugins install openclaw-morphixai` — an external plugin install step not captured by the skill metadata. Installing a third‑party plugin is a higher-risk action because that plugin will run code and handle account credentials; the skill provides no verification link or provenance for that plugin.
Credentials
Only MORPHIXAI_API_KEY is required, which is proportionate for a service that proxies multiple connectors. Note: that single API key likely grants access to all linked accounts through Morphix, so its power is broad — the key's scope and Morphix's handling of linked credentials should be reviewed.
Persistence & Privilege
The skill does not request always:true and does not declare any persistent system modifications. It relies on runtime calls to external connectors; autonomous invocation is allowed (platform default) but is not excessive by itself.
What to consider before installing
This skill behaves like a normal aggregator but requires installing a third‑party plugin (openclaw-morphixai) and giving a Morphix API key that will access all linked accounts. Before installing: 1) Verify the openclaw-morphixai plugin and morphix.app (homepage, source repo, privacy/security docs, ownership). 2) Limit which accounts you link (avoid using high‑privilege service accounts) and prefer least privilege. 3) Consider creating a separate/test account or sandbox to evaluate behavior. 4) Rotate and revoke the MORPHIXAI_API_KEY if you stop using the service. If you cannot verify the plugin/provider provenance, treat this skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk975t1bsaw7xg0pbf5ker04vsx82cy8j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📋 Clawdis
EnvMORPHIXAI_API_KEY