Header - Gateway to self-improving agent
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only Header integration is coherent and disclosed, but it asks for a full Header API key and can make account changes or set ongoing briefings, so users should review actions carefully.
Install this only if you trust Header and are comfortable giving the agent a full-scope Header API key. Review any topic changes, sharing, scheduling, or destructive operations before approving them, and treat briefing action items as suggestions rather than instructions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed, the agent can use the Header account according to the API key's full permissions, including account-management actions shown in the workflow examples.
The skill requires a full-scope Header API credential, which is expected for this integration but gives the agent delegated access to the user's Header account.
Create an API key (scope: **full**) at Dashboard > API Keys ... Set `HEADER_API_KEY` in your environment
Use a dedicated Header API key, prefer a narrower scope if Header offers one, and revoke or rotate the key if you no longer use the skill.
Mistaken or over-eager API calls could change the user's Header topics, sources, schedules, or shared briefings.
The skill exposes raw Bash/curl API operations that can mutate Header account state, such as subscribing or unsubscribing. The behavior is disclosed and aligned with the skill's purpose.
allowed-tools: Bash, Read, Write, WebSearch ... curl -sL -X POST "$API/topics/TOPIC_ID/subscribe" ... curl -sL -X DELETE "$API/topics/TOPIC_ID/subscribe"
Review account-changing commands before they run, and require explicit confirmation for destructive or public-sharing actions.
Untrusted source material could influence suggested action items, even if the final decision remains with the user.
The skill brings externally sourced content into the agent's context as synthesized recommendations. The skill also includes a guardrail requiring user approval before acting on those recommendations.
Header monitors sources (RSS, YouTube, Reddit, newsletters), synthesizes them through your goals, and delivers structured briefings with action items.
Treat briefings as advisory, verify important claims, and do not let the agent implement briefing recommendations without explicit review.
Header may continue producing briefings or maintaining subscriptions after initial setup until the user changes those settings.
The skill supports ongoing remote monitoring and scheduled briefings. This persistence is part of the advertised purpose rather than hidden background behavior.
Research once — stay informed forever. ... Scheduling | "set up daily briefings", "brief me every 3 days"
Periodically review active Header topics, sources, and schedules, and disable any that are no longer needed.