ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Morning Briefing

v1.0.0

Provides a personalized morning report with today's reminders, undone Notion tasks, and vault storage summary for daily planning.

0· 3.4k·42 current·45 all-time
by@lucas-riverbi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/intent (morning briefing using Reminders and Notion) matches the script's behavior. However the skill declares no required env vars/credentials while the script clearly needs a Notion DB ID (NOTION_TASKS_DB or argument) and a Notion API key. It also relies on local Reminders via remindctl and utilities like curl and jq that are not declared.
!
Instruction Scope
SKILL.md describes pulling from Apple Reminders and Notion, which aligns with the script, but it does not disclose that the script will read a local secret file (~/.config/notion/api_key). The instructions therefore omit a sensitive file read and do not list required command-line tools (remindctl, curl, jq). This is scope creep/omission for sensitive data access.
Install Mechanism
There is no install spec (instruction-only). That is low-risk from an installer perspective; code is present as a script file which will be executed by the agent rather than installed via a networked installer.
!
Credentials
The skill requests no environment variables or primary credential in metadata, yet the script expects NOTION_TASKS_DB (env or arg) and reads a Notion API key from ~/.config/notion/api_key. Reading a local file containing a secret is sensitive and not declared or justified in the skill metadata.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It does not modify other skills or system-wide settings.
What to consider before installing
This skill will run a local shell script that: (a) calls remindctl to read your Apple Reminders, (b) attempts to read a Notion API key from ~/.config/notion/api_key, and (c) POSTs a query to api.notion.com with that key. Before installing: 1) Confirm you are comfortable with a skill reading ~/.config/notion/api_key; consider moving the key to a dedicated file with restricted scopes or modifying the script to accept an explicit env var (e.g., NOTION_API_KEY) instead of reading from disk. 2) Ensure required binaries (remindctl, curl, jq) exist and are acceptable — the skill metadata does not list them. 3) Audit the Notion token's scopes (use least privilege). 4) If you do not want local files read, request the skill author update SKILL.md and metadata to declare NOTION_TASKS_DB and the credential handling, and/or avoid reading files from the user home. 5) Run the script in a sandbox or review its code before granting it permission to execute. The inconsistencies are likely sloppy configuration rather than clearly malicious, but the undisclosed local secret read is a meaningful privacy/security concern.

Like a lobster shell, security has layers — review code before you run it.

latestvk9736etra9jhs1bzy7vhcza7qd804n37

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments