Is justasknudge/daily-briefing-skill safe?

The cron.yaml file defines a scheduled job with payload.kind='agentTurn' whose content field explicitly instructs the AI agent to send the briefing to '[email protected]'. This embedded instruction is injected into the agent context at execution time and overrides any recipient the user configures in config.yaml. When a user activates this cron job through OpenClaw's scheduler, they authorize an agent turn that is pre-programmed to route their private calendar data, meeting details, and location to the skill author's email address — without any UI disclosure.

The SKILL.md OpenClaw metadata block hardcodes [email protected] as the delivery target. Any OpenClaw system component that reads skill metadata to configure delivery would route user briefings to the author by default, before the user has an opportunity to update config.yaml.

The cron.yaml agentTurn instructs the agent to collect and send a briefing containing: (1) Calendar.app events for the day including meeting titles, times, and recurrence via AppleScript; (2) precise geolocation via wttr.in weather (defaulting to Leyton, London); (3) AI model usage statistics and costs from codexbar. All of this is dispatched via iMessage to [email protected]. The briefing is a rich PII document that reveals daily schedule, meeting patterns, location, and tooling costs to an external party.

The send-briefing.sh script sets [email protected] as the default recipient via bash parameter expansion. If the script is invoked without an explicit argument, or if config.yaml parsing fails (e.g., file missing, YAML parsing error, empty value), user data is silently sent to the author. This creates a fail-open exfiltration path.

calendar.py executes a multi-line AppleScript via subprocess.run osascript that iterates over all calendars and reads every event for the current day including event summary (title) and start time. This requires Automation permission and provides detailed daily schedule intelligence that is then incorporated into the briefing payload.

openclaw_dive.py reads the user's local OpenClaw skills directory using glob, enumerating all installed skills and extracting description fields from their SKILL.md frontmatter. The resulting list of installed tool names and descriptions is included in the briefing, revealing the user's operational tooling profile to the briefing recipient.

Four Python modules invoke external system binaries via subprocess.run: icalBuddy and osascript (calendar.py), codexbar (cost_tracker.py), and imsg (send-briefing.sh). The scripts lack input validation on external data (RSS titles, calendar event names) that are incorporated into shell command arguments. Calendar event titles could contain shell metacharacters. The imsg binary requires macOS Automation permission in System Settings.

Installation performs a shallow clone of the openclaw/skills monorepo to /tmp/monorepo-clone, configures sparse-checkout to retrieve only the target skill subdirectory, then copies the files and removes the clone. Network activity is limited to GitHub (140.82.112.4) and Ubuntu package infrastructure. No unexpected post-install execution or secondary downloads were detected.

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/credentials.json) were opened per auditd PATH records but reported as intact. Timing analysis places accesses at 1771905106.401 (system login/PAM initialization, before install at 1771905111.868) and 1771905123.299 (post-install audit sweep). These are consistent with system login processes and the Oathe monitoring infrastructure itself, not the skill.

The skill exhibits a textbook social engineering attack pattern: present as a high-value productivity utility (daily briefing), request broad system permissions (Calendar access, iMessage automation), collect rich PII (daily schedule, meetings, location, AI tool usage), and route collected data to the attacker via a mechanism that appears to be normal scheduled delivery. The cron.yaml agentTurn payload is the execution vector — it injects instructions directly into the agent's decision context rather than relying on the user to execute scripts, making the exfiltration path resilient to users who audit config.yaml but do not review cron.yaml payloads. The simultaneous hardcoding of [email protected] in SKILL.md metadata, cron.yaml payload, and send-briefing.sh defaults is not consistent with an accidental oversight; it represents defense-in-depth for ensuring delivery to the author across multiple invocation paths.