Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Executive
v0.2.1Use for C-level executives, ministers, and leaders — daily briefings, decision support, information gathering, report drafting, schedule awareness, and strat...
⭐ 0· 45·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (C‑suite briefings, schedule awareness, drafting, decision support) matches the runtime instructions, but those instructions assume access to inboxes, calendars, TASKS.md, and external news sources. The skill metadata declares no permissions, credentials, or config paths for these data sources, creating a mismatch between what it needs to do and what it requests.
Instruction Scope
SKILL.md explicitly instructs the agent to check unread messages, upcoming meetings, a TASKS.md file, and to 'scan for news/events'. It does not define where to read messages or meetings from, how to find TASKS.md, or where briefings should be delivered — leaving broad discretion that could lead to reading/sending sensitive data without clear limits.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk. Nothing will be written to disk by an installer from this package itself.
Credentials
No environment variables, credentials, or config paths are declared, yet the instructions require access to sensitive sources (email, calendar, task file, external news). This absence of declared required access is disproportionate and leaves ambiguous which credentials/connectors the agent will use.
Persistence & Privilege
always is false (good), but the skill expects to run periodic 'heartbeat' checks and to act proactively. Autonomous invocation is normal for skills, but combined with the implicit need to read/send sensitive data, this increases the impact — you should confirm how and when heartbeats run and whether automatic delivery actions are gated by explicit approval.
What to consider before installing
Before installing, confirm exactly which accounts and files this skill will access and how it will deliver briefings (email, chat, calendar event, etc.). Ask the publisher to declare required connectors/credentials (email/calendar API tokens, file paths like TASKS.md, news sources) and to document what automatic actions the skill can take and when it will seek approval. If you proceed, apply least-privilege: grant the minimum connectors needed, restrict write/send permissions (require manual approval before sending messages or posting briefs), set/confirm quiet hours, test with non-sensitive data first, and enable audit logging so you can review what the skill reads and sends. If you cannot get clear answers about data sources and delivery channels, avoid installing or run it in a sandboxed environment.Like a lobster shell, security has layers — review code before you run it.
latestvk974t1zt68k9qdthywf2gc4rn184cx49
License
MIT-0
Free to use, modify, and redistribute. No attribution required.