daily-review
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): In 'scripts/daily-review.sh', data fetched via 'curl' from the ActivityWatch API is piped directly into 'python3'. This allows potentially untrusted data from a network endpoint to be executed by an interpreter without validation.- [CREDENTIALS_UNSAFE] (HIGH): Hardcoded 'AUTH_TOKEN' and 'CT0' secrets for X.com are explicitly defined in the SSH command block within 'scripts/daily-review.sh'.- [DATA_EXFILTRATION] (HIGH): The skill reads multiple sensitive files containing private tokens, including '
/clawd/secrets/slack-super-ada.json', '/clawd/secrets/fireflies.key', and session history from '~/.clawdbot/agents/main/sessions/'. - [COMMAND_EXECUTION] (HIGH): The script executes arbitrary commands on a remote host via SSH using a hardcoded IP address ('100.86.150.96'), which poses a risk if the remote endpoint or the connection is compromised.- [EXTERNAL_DOWNLOADS] (MEDIUM): The installation instructions require cloning a repository ('steipete/bird') from an untrusted GitHub source and running its build tools, which can lead to supply chain attacks.- [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). • Ingestion points: 'scripts/daily-review.sh' ingests Slack message summaries and Fireflies meeting transcripts. • Boundary markers: Absent; data is interpolated directly into the output. • Capability inventory: includes 'curl', 'ssh', 'python3', and sensitive file access. • Sanitization: Absent; no validation or escaping is performed on external transcripts or messages.
Recommendations
- HIGH: Downloads and executes remote code from: http://localhost:5600/api/0/buckets/aw-watcher-window_MascotM3/events?limit=500 - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata