Executive Briefing
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its briefing purpose, but its helper script reads local Xzenia financial data and can write report files to a path derived from an unsanitized client ID.
Review or patch scripts/briefing.py before use, especially the client ID path handling. Only run it against a trusted Xzenia workspace, and keep generated report files confidential because they may include detailed financial leakage findings and recovery actions.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad or manipulated client ID could make the skill write briefing_summary.md, revenue_xray.json, and briefing_data.json into an unexpected local directory.
The required client ID is used directly in the output path. Because it is not normalized or checked for path separators/absolute paths, a malformed client ID could cause report files to be created outside the intended Xzenia data directory.
p.add_argument('--client', required=True) ... report_dir=os.path.join(DATA_DIR,'clients',client_id,'reports'); os.makedirs(report_dir, exist_ok=True)Reject client IDs containing path separators or absolute paths, canonicalize the final report path, verify it stays under the intended data directory, and disclose or implement the --output option clearly.
Generated reports may contain client details, leakage findings, and recovery actions from the local Xzenia workspace.
The helper script reads persistent local client, financial event, finding, and action data, then writes detailed report JSON files. This is aligned with revenue briefing generation but is sensitive business context that may be reused or exposed through generated artifacts.
DB_PATH=os.path.expanduser('~/.openclaw/workspace/data/xzenia/causal_memory.db') ... json.dump({'client': client_dict, 'run_id': run_id, ... 'findings': findings_list, 'actions': actions_list}, f, indent=2, default=str)Use the skill only with trusted local Xzenia data, treat generated reports as confidential, and verify the source database contents before relying on the briefing.