Daily Self Improvement

The skill overall matches its stated purpose, but it uses an undeclared/ hardcoded gateway token, references workspace files by default, and has a few surprising defaults that warrant review before installation.

This skill mostly does what its description says, but review these before installing: - Hardcoded gateway token: the script falls back to a hardcoded OPENCLAW_GATEWAY_TOKEN value. Treat this as a secret exposure risk — don't assume it's benign. If you deploy, remove or replace the hardcoded token and set OPENCLAW_GATEWAY_TOKEN in a secure place; rotate any token that might have been exposed. - Undeclared env vars: the skill reads OPENCLAW_GATEWAY_TOKEN and OPENCLAW_WORKSPACE but the skill metadata doesn't declare them. Ensure you set OPENCLAW_WORKSPACE deliberately (or accept the default) and explicitly provide a gateway token if you want Discord notifications. - Confirm the gateway endpoint: the script POSTs to 127.0.0.1:18789 /api/message. Verify that this is your OpenClaw gateway and not another service on that port. If an attacker controls a local service on that port, the hardcoded token could be abused. - File access: the skill reads/writes files under your OpenClaw workspace (memory/, daily notes, and the configured corrections path). Make sure those paths do not contain credentials or other sensitive data you don't want processed or included in reports. - Defaults in script: the script contains a specific user path fallback (a /Users/... path) and a different default discordChannel id than the repo config. Confirm config/settings.json is correct for your environment before running. If you want to proceed: inspect and remove the embedded token, set OPENCLAW_GATEWAY_TOKEN in your environment, confirm the gateway address and channel id, and run the script in an isolated environment first. If you cannot audit or change the token in the code, treat the skill as untrusted.