Somnia
AdvisoryAudited by Static analysis on May 7, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If applied, Somnia can run automatically each night and produce logs, reports, proposals, and possibly Telegram notifications.
The helper can install and load a macOS LaunchAgent, causing the review script to run on a schedule. This matches the overnight-review purpose and requires --apply, but it is still persistent background behavior.
DEFAULT_PLIST = Path.home() / "Library" / "LaunchAgents" / f"{DEFAULT_LABEL}.plist" ... if args.apply: write_plist(plist_path, payload) ... launchctl(["load", str(plist_path)])Review the generated plist first, only use --apply if you want recurring background reviews, and use the provided --uninstall option if you no longer want the schedule.
Reports and proposals may be influenced by stored feedback or replay cases from prior use.
The review reads persistent feedback and replay-case files from the OpenClaw learning area. The shown code summarizes ratings and counts rather than raw content, but these files may still contain private user-derived data.
DEFAULT_FEEDBACK_FILE = Path.home() / ".openclaw" / "workspace" / ".learnings" / "skill-feedback.jsonl" DEFAULT_REPLAY_FILE = Path.home() / ".openclaw" / "workspace" / ".learnings" / "skill-replay-cases.jsonl"
Keep feedback and replay files free of secrets, review generated reports before sharing them, and limit the review scope when needed.
If Telegram reporting is enabled, Somnia can use the configured bot token to send messages to the configured chat.
Optional Telegram reporting uses a bot token and chat ID from environment variables. This is expected for Telegram delivery, but the registry metadata does not declare required credentials because the feature is optional.
token = os.getenv(args.telegram_bot_token_env)
chat_id = os.getenv(args.telegram_chat_id_env) ... f"https://api.telegram.org/bot{token}/sendMessage"Use a dedicated Telegram bot/token with limited exposure, protect any env file containing it, and do not enable Telegram reporting unless you want reports sent externally.
Skill health summaries, issue labels, counts, and local proposal/report paths could be sent to Telegram.
When Telegram reporting is enabled, the Markdown report is sent to Telegram's API. The references say reports should not include raw hidden tests, secrets, tokens, or unredacted feedback text, and the shown report builder uses summaries.
body = json.dumps({"chat_id": chat_id, "text": text, "disable_web_page_preview": True}).encode("utf-8") ... urllib.request.urlopen(request, timeout=30)Before enabling Telegram mode, confirm that report contents and destination chat are acceptable for your privacy needs.