briefing
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s video-transcription purpose is plausible, but using it can automatically run a shell installer that downloads unreviewed code, installs packages with sudo, and changes your PATH despite minimal registry declarations.
Install only if you trust the GitHub repository and are comfortable with system package installation, sudo prompts, and persistent PATH changes. Review the remote repository and requirements before running the installer, or run it in a sandboxed environment.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Invoking the skill could run local shell commands before the user separately reviews or approves the installation.
The skill tells the agent to automatically run a shell installer as a precondition for normal use, rather than keeping installation as an explicit user-controlled setup step.
Before any execution, if the `briefing` binary is missing from PATH: ... execute `bash {skillDir}/install.sh`Require explicit user approval before running the installer, and let users inspect or run it manually in a controlled environment.
The code that ultimately runs can change outside this reviewed package, so users are trusting a remote repository and its dependencies.
The installer fetches the actual application and its dependency list from a remote GitHub repository at install time; those files are not included in the reviewed artifacts and no commit, tag, hash, or lockfile is pinned here.
REPO_URL="${REPO_URL:-https://github.com/YutaiGu/skill-briefing.git}" ... git clone "$REPO_URL" "$INSTALL_DIR" ... "$VENV_DIR/bin/pip" install -r "$INSTALL_DIR/requirements.txt"Pin the repository to a reviewed commit or release, include the runnable code and lockfile in the package, and declare the remote install behavior in the registry metadata.
The skill may make system-wide changes, not just operate within the OpenClaw skill directory.
The installer can request administrator privileges to install system packages and place a launcher under a global binary directory.
sudo apt-get update ... sudo apt-get install -y git curl python3.12 python3.12-venv ffmpeg ... sudo install -m 0755 "$tmpfile" "$target_path"
Avoid automatic sudo use; document the required packages and provide a least-privilege install path such as a user-local binary and virtual environment.
The command remains integrated into future shell sessions unless the user removes the PATH entry and launcher.
The installer persists environment changes by modifying shell startup files so the `briefing` launcher remains on PATH.
printf "\n%s\n" "$line" >> "$target" ... log "Added PATH entry to $target"
Document the files changed during installation and provide a clear uninstall command that removes the launcher, virtual environment, cloned repository, and shell profile entry.