auto-daily-summary

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it sets up persistent daily automation for every detected agent and uses unsafe shell command construction.

Install only if you want every OpenClaw agent on the system to receive an indefinite daily summary prompt. Before running it, review the affected agents, understand how to list and delete the created OpenClaw cron jobs, and consider editing the script to target specific agents and avoid shell=True command construction.

SkillSpector

By NVIDIA

Vulnerability Patterns

Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def run_openclaw_command(command): """Execute openclaw CLI command and return output.""" try: result = subprocess.run( command, shell=True, capture_output=True,
Confidence: 99% confidence
Finding: result = subprocess.run( command, shell=True, capture_output=True, text=True, timeout=30 )

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill documentation describes automatic setup of daily summary cron jobs for all available agents, but it does not present this side effect as a prominent warning to the user before execution. That omission can lead users to run the skill without realizing it will persistently schedule automated actions across multiple agents, creating surprise automation, privacy concerns, and broad operational impact.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal