Sovereign Daily Digest
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: sovereign-daily-digest Version: 1.0.0 The skill is classified as suspicious due to multiple critical shell injection vulnerabilities. The `SKILL.md` explicitly instructs the AI agent to create a crontab entry using a user-controlled `CRON` string without sanitization, leading to potential Remote Code Execution (RCE) via prompt injection (e.g., `echo "${CRON} ..." | crontab -`). Additionally, the `SKILL.md` instructs the agent to use user-controlled `LOCATION` and `REPO` values from `config.yaml` in `curl` and `gh` commands, respectively, which are not robustly sanitized in `scripts/digest.sh` (e.g., `sed 's/ /+/g'` is insufficient for `LOCATION`), also posing RCE risks. These flaws allow an attacker to execute arbitrary commands by manipulating the configuration or agent prompts, despite the skill's stated benign purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A digest could include events from local calendar files the user did not explicitly add to the digest configuration.
The script reads calendar files from common local directories automatically, even though the skill instructions describe using configured calendar sources. Local calendars can contain sensitive personal or work information.
# Check for local .ics files in common locations
for ics_path in ~/calendars/*.ics ~/.local/share/calendars/**/*.ics; do
if [[ -f "$ics_path" ]]; then
...
parse_ics "$(cat "$ics_path")" "$name"Limit calendar reads to explicitly configured paths/URLs, or add a clear opt-in setting and user warning before scanning local calendar directories.
If enabled, the skill can access sensitive email content for the digest.
Email access is optional and disabled by default, but if enabled it uses account credentials and reads unread message metadata/body snippets.
email:
enabled: false # disabled by default — requires auth
provider: "imap"
...
# Password should be stored in environment variable DIGEST_EMAIL_PASS
...
1. Connect via IMAP.
2. Fetch unread messages from the last N hours.Enable email only intentionally, use an app-specific password or tightly scoped account, and avoid including mailboxes with highly sensitive content unless needed.
Sensitive personal information may remain in local digest archives for up to the configured retention period.
The skill stores generated briefings locally and archives them by default. Those briefings may summarize calendar, task, email, and other personal data.
output_dir: "~/.openclaw/daily-digest/output" archive: true # keep previous digests max_archive_days: 30
Review the output directory permissions, reduce or disable archiving if needed, and avoid adding sources whose summaries should not be retained.
If the user installs the cron entry, the digest can run every day without a fresh interactive prompt.
The documentation shows how to configure recurring cron execution. This is user-directed and aligned with a daily digest, but it creates persistent scheduled behavior.
0 7 * * * cd ~/.openclaw/skills/daily-digest && bash scripts/digest.sh --format both
Only add scheduled execution if desired, and review or remove the cron/Task Scheduler entry when no longer needed.