Automated daily planning and reflection system with morning briefs, wind-down prompts, sleep nudges, and weekly reviews. Use when the user wants to set up a...
Security Analysis
medium confidenceThe skill's purpose (daily briefs) matches the included scripts, but there are important inconsistencies — undeclared credentials, hard-coded user paths, and local storage of potentially sensitive data — that you should review before installing.
The name and description (automated daily briefs, wind-downs, weekly reviews) align with the included scripts (Google Tasks sync, ARR/Stripe sync, morning-brief launcher). ARR tracking via a SkillBoss API is within plausible scope for founders tracking revenue, so the capability set is broadly coherent with the stated purpose. However, the bundle mixes personal productivity functionality with product/finance telemetry (ARR) which expands the trust surface beyond a simple daily-planner.
SKILL.md and the scripts instruct the agent to read and write local files (memory/YYYY-MM-DD.md, heartbeat-state.json, google-tasks.json, stripe-data.json) and to fetch data from external services (Google Tasks API and SkillBoss endpoints). The skill instructs storing OAuth credentials under ~/.openclaw/google-tasks/ and saves customer IDs and ARR calculations to local JSON. Those behaviors are functionally related to the skill but involve handling sensitive credentials and customer data — this scope should be explicitly declared and reviewed.
There is no formal install spec (instruction-only), and required Python packages are installed via pip per SKILL.md. No external binary downloads or archives are used. This is lower-risk than arbitrary downloads, but pip dependency installation should be considered (supply-chain and environment differences).
Registry metadata lists no required env vars or primary credential, but both SKILL.md and the scripts require credentials: Google OAuth credentials file, and SKILLBOSS_API_KEY and SKILLBOSS_PROJECT_ID for ARR sync. Those credentials are necessary for features but were not declared in the manifest — a significant mismatch. The ARR script also collects and writes customer_ids to local disk, which may be sensitive; ensure you expect and consent to that.
The skill does not request always:true and does not modify other skills or system-wide settings. It writes files under workspace/memory (local state) which is expected for automation. Autonomous invocation is allowed by default (platform normal).
Guidance
This skill appears to do what it says (generate briefs and sync tasks/ARR) but there are gaps you should address before installing: - Credentials: The registry claims no required env vars, but the skill needs Google OAuth credentials and (optional) SKILLBOSS_API_KEY and SKILLBOSS_PROJECT_ID. Expect to provide those; do not put long-lived secrets in shared shells or world-readable files. - Hard-coded paths: Scripts use absolute paths (e.g., /Users/tom/.openclaw/...). Update scripts to use relative or workspace-aware paths before running, or run in an isolated environment where those paths are safe. - Data written locally: The ARR script saves customer_ids and ARR data to stripe-data.json and heartbeat-state.json. If those customer IDs are PII/business-sensitive, review whether you are comfortable storing them on your machine and who can read those files. - External endpoints: The ARR code calls api.heybossai.com and shopping.heybossai.com; verify you trust those services and that the SKILLBOSS_API_KEY you provide has appropriate, limited scopes. - Ownership & provenance: The skill source and homepage are unknown. Prefer skills with a verifiable repository or author. If you proceed, run it in a container or dedicated account, inspect/modify the scripts to remove hard-coded paths, and confirm the exact permissions of any API key you supply. If the author updates the manifest to declare required env vars, removes hard-coded user paths, and documents exactly what local data is stored, confidence in coherence would rise.
Latest Release
v1.0.0
Initial release of Daily Rhythm — a comprehensive automated daily planning and reflection skill. - Automates morning briefings, evening wind-down prompts, and sleep nudges. - Includes weekly review sessions for reflection and task planning. - Integrates with Google Tasks (sync), calendar (ICS), and optionally SkillBoss API Hub for ARR tracking. - Highly customizable with focus area, personalized intentions, and flexible cron-based scheduling. - Step-by-step setup and troubleshooting instructions included in SKILL.md.
More by @alvisdunlop
Published by @alvisdunlop on ClawHub
