Security Audit

daily-briefing

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

daily-briefing received a trust score of 81/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 3 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Sensitive environment variable access: $USER, iCloud Mail password potentially exposed via process arguments.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

86%

Dependency Graph

100%

LLM Behavioral Safety

93%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

3 findings

Excessive Permissions

2 findings

Security Findings3

Severity	Finding	Layer	Location
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/antgly/daily-briefing/scripts/daily_briefing_orchestrator.sh:32
MEDIUM	Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/antgly/daily-briefing/scripts/daily_briefing_orchestrator.sh:94
MEDIUM	iCloud Mail password potentially exposed via process arguments The skill's orchestrator script (`daily_briefing_orchestrator.sh`) reads the `emails.icloudPassword` from the configuration file. The `SKILL.md` explicitly mentions the `himalaya` tool for iCloud Mail, implying this password will be used with it. It is a common practice for CLI tools to accept passwords as command-line arguments. If the `EMAILS_ICLOUD_PASSWORD` variable is passed directly as a command-line argument to `himalaya` or a similar tool, it could be briefly visible in process lists (`ps`) to other users or processes on the system, leading to credential exposure. Avoid passing sensitive credentials as command-line arguments. Instead, use environment variables (e.g., `HIMALAYA_PASSWORD=... himalaya ...`), secure input methods (e.g., `read -s`), or configuration files with restricted permissions that the tool can read directly.	LLM	scripts/daily_briefing_orchestrator.sh:90

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/bba3b53635f86e53.svg)](https://skillshield.io/report/bba3b53635f86e53)