ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Daily Briefing

v1.0.11

Provides a personalized morning briefing with current weather, upcoming calendar events, important emails, and top pending tasks.

0· 841·0 current·0 all-time
by@sai-sh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (weather, calendar, email, tasks) match the code and instructions. The skill asks only for an OpenWeather API key and Google OAuth access tokens, which are exactly what's needed to call those APIs. Required files (config.json, .env) and listed Python dependencies are appropriate for the stated functionality.
Instruction Scope
Runtime instructions stick to running main.py, installing dependencies, and providing tokens in a .env file. Minor inconsistencies in the prose: SKILL.md mentions verifying at a gist URL while main.py defines a different SKILL_VERIFY_SOURCE_URL (clawhub.ai), and the doc refers to "four services" though three are described. These are sloppy but not evidence of malicious behavior. No instructions ask the agent to read unrelated system files or exfiltrate data.
Install Mechanism
No install spec that downloads arbitrary archives; dependencies are standard Python packages listed in requirements.txt. Installation is via pip -r requirements.txt which is proportionate for the code present.
Credentials
The skill requests a small, relevant set of secrets: OPENWEATHER_API_KEY, GOOGLE_CALENDAR_TOKEN, and GMAIL_TOKEN. Those are necessary for the described API calls. The code reads .env from the skill directory and config.json; it does not request unrelated credentials or system-wide tokens.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It only reads local config/.env and makes outbound API calls — privileges are limited to what's required.
Assessment
This package appears to do what it says: fetch weather and Google data and assemble a briefing. Before installing, consider the following: (1) only provide short-lived or scoped OAuth tokens in the .env — avoid placing long-lived or highly privileged credentials there; (2) verify which exact Google scopes you grant (read-only scopes are preferable); (3) review the main.py source yourself for any network calls you don't expect (note the file contains a SKILL_VERIFY_SOURCE_URL that differs from the URL in the README — a harmless inconsistency but worth checking); (4) run the skill in an isolated environment (virtualenv/container) so its dependencies and tokens are sandboxed; (5) if you need stronger assurance, ask the author for the expected behavior of any verification/fetch logic (the file contains regexes for scraping/verification that appear unused in the visible code). If you do not want your email/calendar data read, do not provide the Google tokens.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bt0j4688zdhs8q7qy8jcb4n817ys2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments