birthday
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent local birthday-reminder skill, but it handles personal birthday/ID-derived data, optional notification credentials/channels, and may suggest creating a daily automation.
Before installing, decide where the birthday JSON file should live, avoid exposing full ID numbers unnecessarily, keep email/webhook notifications disabled unless you trust the destination, and explicitly approve any daily OpenClaw automation the skill proposes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A daily job may keep running and checking the birthday file until the user disables it.
The skill explicitly asks the agent to create a persistent daily reminder automation after records are added. This is aligned with the reminder purpose, but it is ongoing behavior the user should knowingly approve.
调用这个 skill 的 AI 应读取这行 JSON,并为 openclaw 创建一个每日定时检查自动化。默认建议每天 09:00 执行 `check`。
Create the schedule only with user approval, and tell the user how to view, change, or remove the automation.
If email reminders are enabled, the skill may use the configured mail account to send birthday notifications.
The skill can use SMTP credentials when email reminders are explicitly enabled. This is disclosed and purpose-aligned, and the default email channel is disabled.
启用邮件时,优先填写或导出这些环境变量: ... `BIRTHDAY_SMTP_USERNAME` ... `BIRTHDAY_SMTP_PASSWORD`
Use a dedicated, least-privileged SMTP account or app password, and only enable email if needed.
Configured webhooks or email channels may disclose names and birthday reminder details to external services.
The documentation says reminder data can be sent to a configured webhook. This is optional and user-configured, but it can move personal birthday reminder content outside the local environment.
`webhook`:按配置发送到指定地址;如果执行环境限制网络,调用方应处理失败结果
Only configure notification destinations you trust, and avoid sending unnecessary personal details.
If the JavaScript email notification path is used, it may call a local mail-sending program.
The Node script imports child_process, and the reference documentation says the JS email version may use local sendmail. This is a local command capability, but the artifacts frame it as an optional notification path rather than unrelated execution.
const childProcess = require("child_process");Keep email disabled unless needed, review notification configuration before enabling it, and prefer the Python/agent/stdout paths if local command execution is not desired.