Daily Rhythm
v1.0.0Automated daily planning and reflection system with morning briefs, wind-down prompts, sleep nudges, and weekly reviews. Use when the user wants to set up a structured daily routine, morning briefings, evening reflection prompts, or weekly planning sessions. Triggers include requests for daily schedules, morning briefs, wind-down routines, sleep reminders, weekly reviews, productivity systems, or daily planning automation.
⭐ 3· 2.9k·12 current·12 all-time
byAnthony Francis@anthonyfrancis
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (daily briefs, wind-downs, weekly reviews) aligns with the scripts provided (Google Tasks sync, Stripe ARR sync, brief generator). However metadata claims no required env vars or config paths while the instructions and scripts require Google OAuth credentials and optionally a Stripe secret in a .env.stripe file. The README/SKILL.md also describe sending briefs via messaging (Telegram/WhatsApp/Signal) but there is no delivery implementation included — only instructions and a shell script that echoes sync steps. This mismatch (declared none vs actual credential and path needs, and promised delivery channels without code) is an incoherence.
Instruction Scope
SKILL.md instructs obtaining Google API credentials, creating .env.stripe and setting up cron jobs — all within the expected scope. But the runtime instructions and scripts reference and read/write specific filesystem locations (e.g., /Users/tom/.openclaw/workspace, ~/.openclaw/google-tasks/) and token.json files; the sync scripts will create and persist token.json and Stripe-derived json files (including customer_ids) in the workspace memory. These instructions thus require access to local files and write potentially sensitive data, which is reasonable for the stated purpose but not surfaced in the skill metadata and may expose sensitive information if defaults are used.
Install Mechanism
There is no automated install spec (instruction-only), which reduces automatic code execution risk. The SKILL.md does ask the user to pip-install several Python packages (google-auth libraries, google-api-python-client, stripe). That is proportionate for Google Tasks and Stripe usage, but the skill files themselves include code that will be placed in the workspace and executed by cron — so the user will be executing included scripts locally. No external download URLs or obfuscated installers are present.
Credentials
The registry metadata claims no required env vars, but the SKILL.md and scripts clearly require: (1) Google OAuth credentials (credentials.json -> token.json) and (2) optionally STRIPE_API_KEY via a .env.stripe file. The Stripe script expects a live secret key and will persist customer_ids into stripe-data.json. Requesting and storing a Stripe secret and customer IDs is proportional to ARR tracking but is sensitive and should be declared up front. The skill also hard-codes paths in multiple places, which may cause it to read or write data in another user's home if not adjusted.
Persistence & Privilege
always is false (good). The skill does persist state to disk (token.json, google-tasks.json, stripe-data.json, heartbeat-state.json, memory/YYYY-MM-DD.md) under a workspace/memory path; that is expected for a local automation tool. The concern is that those paths are hard-coded to /Users/tom/.openclaw/workspace and similar, which could lead to confusing placement of sensitive files if not edited. The skill does not request to modify other skills or system-wide agent settings.
What to consider before installing
This skill appears to implement the daily-briefing functionality it advertises, but there are several red flags you should address before installing or running it:
- Credentials & secrets: SKILL metadata says no env vars, but the code requires Google OAuth credentials (credentials.json) and optionally a Stripe secret (STRIPE_API_KEY in .env.stripe). Do not use a live, fully privileged Stripe key if you can avoid it — prefer a restricted test key or a key scoped to only the necessary read operations.
- Hard-coded paths: The scripts use absolute paths like /Users/tom/.openclaw/workspace and insert /Users/tom/Library/Python/... into sys.path. Update these paths to point to your own workspace before running; otherwise the scripts may fail or write data to unexpected locations.
- Sensitive local storage: Google oauth token.json and stripe-data.json (which includes customer_ids and ARR) are stored on disk in memory/. Those files contain sensitive data — ensure the folder is protected with appropriate filesystem permissions and consider encrypting or limiting what is persisted.
- Delivery mechanism missing: The README mentions sending briefs via Telegram/WhatsApp/Signal but the provided scripts only generate local files and echo status. You will need to implement or review a delivery adapter if you expect briefs to be sent to external messaging services.
- Review code before running: The included Python scripts are readable and not obfuscated, but you should inspect them and adjust paths, logging, and what they save. Run them in a sandbox or with test credentials first.
- Operational recommendations: (1) Update the skill metadata to declare required credentials and configurable paths; (2) replace any live Stripe keys with restricted or test keys; (3) change hard-coded paths to be configurable via environment variables or relative to the skill workspace; (4) secure the memory directory (restrict permissions); (5) if you do not want customer identifiers stored, modify sync-stripe-arr.py to avoid writing customer_ids.
If the owner can update the package to remove hard-coded paths, declare required env vars in metadata, and provide a safe example delivery implementation, my confidence in coherence would increase.Like a lobster shell, security has layers — review code before you run it.
latestvk97be44q86710vt6h8zhp500jh80bew5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.