Daily news briefing generator — produces a conversational radio-host-style audio briefing + DOCX document covering weather, X/Twitter trends, web trends, world news, politics, tech, local news, sports, markets, and crypto. macOS only (uses Apple TTS and afplay). Use when user asks for a news briefing, morning briefing, daily update, or similar.
Security Analysis
medium confidenceThe skill mostly does what it claims (generate local audio + DOCX news briefings), but there are several inconsistencies and scope-creep items (macOS-only behavior not enforced, scripts probing user home caches, and instructions to spawn a sub-agent that will run code from the skill directory) that merit caution before installation.
The skill's stated purpose (local news/audio briefings, macOS TTS) matches the included code and network calls (Open-Meteo, Coinbase, Google Trends, getdaytrends). However: (1) SKILL.md and README say 'macOS only' and rely on macOS tools like say/afplay, but the registry metadata does not enforce an OS restriction and the declared required binaries only lists curl (missing say/afplay). (2) The skill references optional components (MLX-Audio/Kokoro, pandoc, ffmpeg) that are not required but could be installed/used; the required bins list is incomplete relative to runtime claims.
Runtime instructions tell the agent to spawn a sub-agent with a full pipeline and to replace SKILL_DIR with the absolute skill path; the included scripts then run local Python code that reads/writes ~/.briefing-room and ~/Documents and (in config.py) probes other user paths (e.g. ~/.cache/huggingface/hub, ~/.openclaw, ~/.local). That means the skill will read files under the user's home (HuggingFace cache, .openclaw tools, etc.) and could include their contents in sub-agent operations. While searching for local ML voice artifacts is explainable for local TTS, it is broader-than-expected file system access and could surface locally cached model files/metadata. The instructions also require the agent to start the sub-agent non-blocking and give it discretion to perform web searches and compose content — reasonable for the feature but more network activity and local-file access than a minimal 'news fetcher'.
There is no install spec (instruction-only installation), so nothing arbitrary is downloaded or installed by the registry. This minimizes install-time risk. The package includes local helper scripts only.
No environment variables or credentials are requested (good). However, config.py explicitly inspects several locations under the user's home (e.g. ~/.cache/huggingface/hub snapshots, ~/.openclaw, ~/.local/share, /tmp) to detect MLX/Kokoro and pre-blended voice files. That access is related to the stated TTS functionality but does mean the skill will enumerate and read parts of your home directory if those features are used. No unrelated cloud credentials are requested.
The skill is not always: true, does not request system-wide changes, and reads/writes only to its own config (~/.briefing-room) and a user output folder (~/Documents/Briefing Room) with a validation whitelist. It does spawn a sub-agent for asynchronous work (normal for skills) but does not request elevated or persistent system privileges.
Guidance
This skill appears to implement the advertised local news + audio briefing functionality, but review and consider the following before installing: - It's designed for macOS (uses say/afplay) but the registry metadata doesn't enforce that; expect failures on other OSes. - The runtime will read and write files under your home directory (~/.briefing-room, ~/Documents) and will probe other locations (e.g. ~/.cache/huggingface, ~/.openclaw) to detect local TTS/model artifacts. If you have sensitive material in those caches you should be cautious. - The skill instructs the agent to spawn a sub-agent and run the full pipeline from the skill directory. Confirm you're comfortable with an autonomous sub-agent performing web searches and making outbound HTTP requests (Open-Meteo, Coinbase, getdaytrends, Google Trends) on your behalf. - If you don't plan to use MLX/Kokoro local TTS or HuggingFace-based blended voices, you can keep defaults (Apple builtin TTS) to avoid the skill touching the HuggingFace cache. If you decide to proceed: run the first-run setup (python3 scripts/config.py init) manually so you can inspect the created config, set output.folder to a safe location, and confirm which optional tools (pandoc/ffmpeg/MLX) the skill uses. If you want stronger assurance, ask the maintainer to (a) explicitly require macOS in metadata, (b) add say/afplay to requires.bins, and (c) avoid scanning arbitrary home-cache locations unless the user enables MLX/Kokoro TTS.
Latest Release
v1.0.3
- Security: output.folder path validation — rejects writes to sensitive directories (/etc, ~/.ssh, etc). Only allows ~/Documents, ~/Desktop, ~/Downloads, ~/.briefing-room, /tmp.
More by @matusvojtek
Published by @matusvojtek on ClawHub
