Executive Briefing
PassAudited by VirusTotal on May 1, 2026.
Overview
Type: OpenClaw Skill Name: executive-briefing Version: 0.1.0 The skill is designed to generate executive-level revenue recovery briefings by querying a local SQLite database located in the OpenClaw workspace. The core logic in scripts/briefing.py uses parameterized SQL queries to prevent injection and writes report files to a structured directory within the workspace. No evidence of data exfiltration, unauthorized network access, or malicious prompt injection was found across the documentation or code.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad or manipulated client ID could make the skill write briefing_summary.md, revenue_xray.json, and briefing_data.json into an unexpected local directory.
The required client ID is used directly in the output path. Because it is not normalized or checked for path separators/absolute paths, a malformed client ID could cause report files to be created outside the intended Xzenia data directory.
p.add_argument('--client', required=True) ... report_dir=os.path.join(DATA_DIR,'clients',client_id,'reports'); os.makedirs(report_dir, exist_ok=True)Reject client IDs containing path separators or absolute paths, canonicalize the final report path, verify it stays under the intended data directory, and disclose or implement the --output option clearly.
Generated reports may contain client details, leakage findings, and recovery actions from the local Xzenia workspace.
The helper script reads persistent local client, financial event, finding, and action data, then writes detailed report JSON files. This is aligned with revenue briefing generation but is sensitive business context that may be reused or exposed through generated artifacts.
DB_PATH=os.path.expanduser('~/.openclaw/workspace/data/xzenia/causal_memory.db') ... json.dump({'client': client_dict, 'run_id': run_id, ... 'findings': findings_list, 'actions': actions_list}, f, indent=2, default=str)Use the skill only with trusted local Xzenia data, treat generated reports as confidential, and verify the source database contents before relying on the briefing.