Stoic Companion
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill matches its Stoic journaling purpose, but it stores personal reflections and can send scheduled messages through user-configured channels.
Before installing, decide what personal details you want stored, verify any Telegram/WhatsApp recipient IDs, protect optional TTS API keys, and make sure you know how to pause cron jobs and delete memory logs. Treat it as a reflection companion, not a replacement for professional help.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private emotional notes, relationship details, and progress reflections may remain available to future agent sessions.
The skill persistently records personal context, relationships, and daily reflections for later summaries. This is expected for virtue tracking, but the content may be sensitive.
Store configuration in `memory/stoic-companion.md` ... Log key points in `memory/YYYY-MM-DD.md` ... Review daily memory files from the past 7 days
Only store details you are comfortable persisting, periodically review/delete memory files, and avoid including highly sensitive information unless needed.
The user may receive ongoing automated affirmations, check-ins, and summaries until those cron jobs are changed or disabled.
The skill creates recurring scheduled activity. This is disclosed and central to the product, but it means the assistant may continue sending messages without a new manual prompt each time.
A daily Stoic growth system with three automated touchpoints ... Morning Affirmation (cron) ... Evening Check-in (cron) ... Weekly Summary (cron)
Confirm the schedule before enabling it and keep a clear way to pause, edit, or remove the cron jobs.
If configured, the TTS provider key could be used to generate audio under the user's account.
Optional audio delivery may require a third-party API key. This is purpose-aligned, but API keys can grant account usage or billing access.
**TTS** (optional but recommended): ElevenLabs API key + `sag` CLI for audio delivery
Use a scoped or low-privilege key where possible, keep it out of shared memory/logs, and revoke it if you stop using audio delivery.
Private journaling prompts or summaries could be delivered to the wrong recipient or through a provider the user did not intend.
The skill sends personal companion messages through an external channel selected by the user. This is expected, but incorrect target IDs or channel settings could expose personal reflections.
**Channel**: [telegram/whatsapp/etc] - **Target ID**: [chat ID or phone number]
Verify the channel and recipient ID carefully before enabling scheduled delivery, especially for sensitive reflections.