ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clank Daily Summary

v1.0.0

Generate a daily summary of your agent's activities. Perfect for tracking progress and sharing updates.

0· 40·0 current·0 all-time
by@t3mr0i
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The README/description implies a runnable tool (clank-summary) and Telegram integration, but the skill bundle has no binaries, no code files, and no declared credentials. Counting commits (git) is plausible, but 'emails' and 'messages' and sending to Telegram would normally require additional permissions/credentials or code — none are provided.
!
Instruction Scope
The SKILL.md lists features and example CLI usage (clank-summary, --send) but gives no implementation steps or concrete runtime instructions for how to collect emails/messages or how to authenticate to Telegram. It asks the agent to operate on the agent's 'activities' without specifying data sources, paths, or required environment variables.
Install Mechanism
There is no install spec and no code — that reduces direct supply-chain risk. However the doc suggests installing via 'clawhub install clank-daily-summary' and running a 'clank-summary' binary that does not exist in this bundle, which is an incoherence to resolve before use.
!
Credentials
The skill declares no required environment variables or primary credential, yet claims Telegram integration (which would normally require a bot token and chat id) and collection of emails/messages (which may require IMAP/SMTP or API credentials). The absence of declared creds is disproportionate to the advertised features.
Persistence & Privilege
The skill does not request persistent/autonomous 'always' presence and uses default invocation behavior. It does not declare modifications to other skills or system-wide config.
What to consider before installing
This skill is inconsistent: it advertises a CLI and Telegram sending but provides only a short instruction file with no code and no declared credentials. Before installing or granting any tokens: (1) Ask the publisher where the 'clank-summary' executable or source code is and request a verifiable homepage or repository; (2) require an explicit list of environment variables (e.g., TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, mail API creds) and an explanation of how emails/messages will be accessed and stored; (3) do not provide Telegram bot tokens, email passwords, or other secrets until you can review the code or a trusted release; (4) prefer a skill that includes source or a trusted release URL so the behavior can be audited. If the publisher cannot supply these details, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

dailyvk979yjv03z430fbpnxdnzts1f583txxmlatestvk979yjv03z430fbpnxdnzts1f583txxmsummaryvk979yjv03z430fbpnxdnzts1f583txxmtrackingvk979yjv03z430fbpnxdnzts1f583txxm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis

Comments