The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests untrusted data from external sources and incorporates it into AI-generated planning.
Ingestion points: The skill reads task titles and notes from google-tasks.json and event details from a user-provided Calendar ICS URL.
Boundary markers: No explicit delimiters or 'ignore' instructions are present in the scripts to prevent the AI from obeying instructions embedded in task notes.
Capability inventory: The skill possesses the ability to execute shell scripts (morning-brief.sh) and write to the local filesystem (/memory/ directory).
Sanitization: There is no evidence of filtering or sanitization of the content fetched from Google Tasks or Calendar before it is passed to the LLM for generating the morning brief.
[COMMAND_EXECUTION]: The skill relies on shell script execution (morning-brief.sh) and provides instructions for users to modify their system crontab. While documented, these are persistence mechanisms and execution patterns that increase the attack surface if the underlying scripts are compromised.
[EXTERNAL_DOWNLOADS]: The skill requires several external Python dependencies (Stripe and Google API clients) and makes legitimate network requests to Google and Stripe APIs to synchronize user data.
[DATA_EXFILTRATION]: The skill accesses sensitive files including .env.stripe and Google OAuth tokens. While used for functional purposes, this data, along with personal tasks and financial ARR, is formatted for transmission to external messaging platforms (Telegram/WhatsApp) as part of the briefing process.
[OTHER]: The scripts contain hardcoded absolute paths (e.g., /Users/tom/.openclaw/workspace) which point to a specific user's home directory, indicating the skill may not function correctly in other environments without manual modification.

daily-rhythm