ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Daily-to-Goal MCP

v1.0.2

Connect to Daily-to-Goal (D2G) platform via MCP to manage goals, tasks, entities, and team performance. Use when the user wants to interact with their D2G pl...

0· 150·0 current·0 all-time
byXiao Ke@xiaoke-bot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Daily-to-Goal integration) align with the single required env var (DTG_API_KEY) and the listed tools (goals/tasks/entities/team). Requiring an API key for the D2G platform is expected.
Instruction Scope
SKILL.md is focused on the D2G integration and does not ask the agent to read unrelated files or additional credentials. However, it instructs adding an MCP server entry that will run `npx @daily-to-goal/mcp-server` at runtime, which grants the skill the ability to execute code obtained from npm.
!
Install Mechanism
No formal install spec is provided, but the instructions rely on `npx @daily-to-goal/mcp-server`. That causes dynamic download-and-execute behavior from the npm registry. The skill metadata lacks a homepage/source and the package publisher is unknown, increasing the risk that running npx will fetch unvetted code.
Credentials
Only DTG_API_KEY is required and that directly corresponds to the D2G API usage described. No additional unrelated credentials or config paths are requested.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent, platform-wide privileges. The MCP server pattern will run separately but the skill itself does not demand elevated agent-wide privileges in the metadata.
What to consider before installing
This skill appears to do what it says (manage Daily-to-Goal via an API key) but the runtime step uses `npx @daily-to-goal/mcp-server` with no homepage or source listed. That will download and execute code from npm on your machine. Before installing or running it: (1) verify the npm package exists and inspect its source (GitHub repo, package contents) and publisher identity; (2) prefer an official homepage or repository and avoid running npx from unknown packages; (3) run the MCP server in an isolated environment (container/VM) if you must test it; (4) create a limited-scope DTG API key and be prepared to rotate/revoke it; (5) avoid committing the key to source control and use a secrets manager. If the publisher or package cannot be verified, treat this as risky and decline installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97avh7sqtx5dhz01jazwwbqvh83fcc5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvDTG_API_KEY

Comments