Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Daily Dev Feed
v0.1.0Curated developer content aggregation powered by daily.dev. Get real-time articles, trending topics, and personalized feeds from thousands of validated sources.
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL.md clearly describes a wrapper around the daily.dev API and requires a daily-dev dependency and a Daily.dev Plus API token (prefixed dda_). However, the registry metadata lists no required dependencies and no required environment variables. That mismatch between the declared metadata and the runtime instructions is inconsistent and should be resolved before trusting the skill.
Instruction Scope
The instructions explicitly tell an agent to analyze local project files (package.json, go.mod, Cargo.toml, etc.) to auto-follow tags and create custom feeds. Reading and processing local project files is reasonable for onboarding features, but the SKILL.md does not limit what is sent to the external API. This creates a risk that sensitive or private repo contents could be transmitted to api.daily.dev unless the skill or operator enforces filtering/consent.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is downloaded or written at install time. That lowers supply-chain risk. The SKILL.md does reference installing a separate 'daily-dev' skill via clawhub, but that dependency is not reflected in metadata.
Credentials
The runtime docs instruct the user to create and store a DAILY_DEV_TOKEN (dda_ prefix) and show examples for macOS Keychain, Windows Credential Manager, and secret-tool on Linux. Yet the registry metadata declares no required env vars or primary credential. Requesting a single API token for daily.dev is proportionate to the described functionality, but the omission from metadata is a significant oversight and reduces transparency.
Persistence & Privilege
always:false (default) and autonomous invocation permitted (platform default). The skill's SKILL.md suggests periodic fetches for 'agent self-improvement'—if you enable autonomous agents, they could periodically call the daily.dev API using your token. That's expected for this use case but increases runtime data flow; consider whether you want an autonomous agent with access to your DAILY_DEV_TOKEN. Also note an ownerId mismatch between registry metadata and _meta.json, which is an administrative inconsistency to verify.
What to consider before installing
Before installing: 1) Ask the publisher to correct registry metadata so it declares the dependency on the 'daily-dev' skill and the required DAILY_DEV_TOKEN (or similar primaryEnv). 2) Verify the owner/publisher identity (ownerId mismatch in _meta.json vs registry) to ensure you are installing the intended package. 3) Be aware the skill's instructions include reading local project files (package.json, go.mod, etc.); confirm what exact file data will be sent to api.daily.dev and avoid sending secrets or private repo contents. 4) Only provide a daily.dev API token you control, store it in a secure credential store, and rotate it if you stop using the skill. 5) If you plan to run this with autonomous agents, restrict or monitor the agent's ability to call external APIs or read local files to prevent inadvertent data leakage. If the publisher cannot address metadata and ownership inconsistencies, treat the package with caution or request a vetted release.Like a lobster shell, security has layers — review code before you run it.
latestvk975qmxzmx10ajvp6md80pnaph84n99d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.