auto-daily-summary

What to consider before installing/using this skill: - The script does what the description says (create daily 23:30 cron jobs for each agent) but the package metadata omits that it requires the 'openclaw' CLI and Python 3; ensure those are present and trusted on the host. - Security risk: the script builds shell commands by interpolating agent IDs and workspace paths and calls subprocess.run(..., shell=True). If an agent ID or workspace path contains malicious characters, that could allow arbitrary shell command execution. Only run this tool in environments where you trust the OpenClaw agent registry output. - Recommended mitigations before running: - Inspect the script yourself and, if possible, run it in a restricted test account or container first. - Replace or patch the script to call subprocess.run with a list of args (no shell=True) or safely escape arguments (e.g., shlex.quote) when composing the cron add command. - Ensure the OpenClaw CLI is the official binary and not a tampered executable; verify its install source and version. - Back up existing cron settings and consider a dry-run mode that prints the commands instead of executing them (you can modify the script to do this). - If you are not comfortable auditing or patching the script, consider asking the skill author to (1) update registry metadata to list required binaries, and (2) fix argument handling to avoid shell=True with interpolated untrusted values. Confidence note: the assessment is 'suspicious' rather than 'malicious' because the code's behavior aligns with its stated purpose, but there is a clear and avoidable security flaw and metadata omissions that warrant caution.