Is antgly/daily-briefing safe?

Auditd PATH records show all six honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .gcloud/application_default_credentials.json) read in a single burst at timestamp 1771735950.146, approximately 4-5 seconds after install completed. This access pattern is consistent with systematic credential harvesting. The monitoring system reports canary files intact (no write or detected exfil), but read access alone constitutes reconnaissance.

The orchestrator writes a comprehensive PII bundle to /tmp/daily_briefing_data.json on every run. This file includes full contact list (names and email addresses), calendar events, reminders, and email metadata. The file is world-readable and persists until the next run or explicit --cleanup. Any co-installed skill or process can read this file without the user's knowledge.

The skill stores an iCloud Mail app-specific password in plaintext at ~/.openclaw/openclaw.json under skills.entries.daily-briefing.config.emails.icloudPassword. App-specific passwords grant persistent access to iCloud Mail. Storing them in a non-secret JSON config file (readable by any process running as the user) is a significant credential exposure risk.

SKILL.md contains a CRITICAL-labeled directive instructing the agent to output only briefing text and suppress all tool output, file paths, explanations, and status messages. While legitimate for cron delivery UX, this directive prevents users from auditing what the agent is doing when running the skill interactively, reducing transparency.

The skill directs the agent to send the user's configured location to wttr.in on every invocation using curl. This is a persistent geolocation side-channel to a third-party service the user has no direct relationship with in the context of this skill.

The orchestrator uses osascript -l JavaScript to enumerate all contacts and their birthdays from macOS Contacts.app. JXA has access to a broad macOS automation API surface beyond just contacts. The script is not malicious but establishes a JXA execution pattern.

The /tmp/daily_briefing_data.json file is a comprehensive personal intelligence dossier (contacts, calendar, email metadata). Any other skill with filesystem access can silently read this file. Combined with a network-capable or clipboard-capable skill, this becomes a data exfiltration pivot point without requiring the attacking skill to access protected macOS APIs.

SKILL.md instructs the agent to 'Never run raw CLI commands directly' and 'Always invoke the runner script'. While this is framed as a TCC permissions workaround, it creates a rigid execution pipeline that could be exploited to control exactly what the agent runs without user awareness.

After install, the openclaw-gateway process (pid=1074) shows new established connections to 44.214.208.192:443 (AWS) and 104.16.0.34:443 (Cloudflare), plus new listeners on localhost:18790 and localhost:18793. This appears to be the ClawdBot platform daemon, not the skill itself, but the timing coincidence warrants noting.

install.sh creates bin/run_daily_briefing.sh which wraps the orchestrator. The script is benign but executes at install time and makes files executable (chmod +x). This is expected behavior for this skill type.