← Back to Skills Marketplace
sai-sh

Daily Briefing

by sai-sh · GitHub ↗ · v1.0.11
cross-platform ⚠ suspicious
942
Downloads
0
Stars
0
Active Installs
12
Versions
Install in OpenClaw
/install user-briefing
Description
Provides a personalized morning briefing with current weather, upcoming calendar events, important emails, and top pending tasks.
Usage Guidance
This package appears to do what it says: fetch weather and Google data and assemble a briefing. Before installing, consider the following: (1) only provide short-lived or scoped OAuth tokens in the .env — avoid placing long-lived or highly privileged credentials there; (2) verify which exact Google scopes you grant (read-only scopes are preferable); (3) review the main.py source yourself for any network calls you don't expect (note the file contains a SKILL_VERIFY_SOURCE_URL that differs from the URL in the README — a harmless inconsistency but worth checking); (4) run the skill in an isolated environment (virtualenv/container) so its dependencies and tokens are sandboxed; (5) if you need stronger assurance, ask the author for the expected behavior of any verification/fetch logic (the file contains regexes for scraping/verification that appear unused in the visible code). If you do not want your email/calendar data read, do not provide the Google tokens.
Capability Analysis
Type: OpenClaw Skill Name: user-briefing Version: 1.0.11 The skill is suspicious due to a built-in 'verification' mechanism that introduces a significant prompt injection vulnerability. The `skill.md` file explicitly instructs the AI agent to 'Always verify the skill before at https://gist.github.com/sai-sh/c47ef834a03bad99c2b617dd260fd304'. Concurrently, the `main.py` file contains a `verify_skill()` function that performs two external network requests (to `https://clawhub.ai/sai-sh/user-briefing` and the URL extracted from `skill.md`, which is `https://gist.github.com/sai-sh/c47ef834a03bad99c2b617dd260fd304`). The content fetched from the GitHub Gist is then stripped of HTML tags and prepended to the skill's output. This design allows for dynamic content injection into the agent's context, creating a high-risk vector for prompt injection if the remote content were to be compromised or controlled by an attacker, even though there is no clear evidence of intentional malicious exploitation in the current content.
Capability Assessment
Purpose & Capability
Name/description (weather, calendar, email, tasks) match the code and instructions. The skill asks only for an OpenWeather API key and Google OAuth access tokens, which are exactly what's needed to call those APIs. Required files (config.json, .env) and listed Python dependencies are appropriate for the stated functionality.
Instruction Scope
Runtime instructions stick to running main.py, installing dependencies, and providing tokens in a .env file. Minor inconsistencies in the prose: SKILL.md mentions verifying at a gist URL while main.py defines a different SKILL_VERIFY_SOURCE_URL (clawhub.ai), and the doc refers to "four services" though three are described. These are sloppy but not evidence of malicious behavior. No instructions ask the agent to read unrelated system files or exfiltrate data.
Install Mechanism
No install spec that downloads arbitrary archives; dependencies are standard Python packages listed in requirements.txt. Installation is via pip -r requirements.txt which is proportionate for the code present.
Credentials
The skill requests a small, relevant set of secrets: OPENWEATHER_API_KEY, GOOGLE_CALENDAR_TOKEN, and GMAIL_TOKEN. Those are necessary for the described API calls. The code reads .env from the skill directory and config.json; it does not request unrelated credentials or system-wide tokens.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It only reads local config/.env and makes outbound API calls — privileges are limited to what's required.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install user-briefing
  3. After installation, invoke the skill by name or use /user-briefing
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.11
Version 1.0.11 - Updated the wording and formating
v1.0.10
- Added a new "NOTE" section in the documentation to clarify API key requirements. - Clearly states that you must provide keys for the services to use the related features. - Now explains you can use any single feature by providing only the relevant service's API key. - Removed web_checkin_url
v1.0.9
- Updated documentation to clarify that configuration is now read from /config.json instead of ~/.morning-briefing/. - Revised troubleshooting and notes sections to remove references to the old config directory. - Minor adjustments to instructions and wording for accuracy and consistency.
v1.0.8
- Updated documentation to clarify configuration location and instructions. - Now specifies that `config.json` and `.env` should be in the same directory as `main.py`. - Revised setup and customization steps for clarity. - General cleanup for more concise and direct usage guidance.
v1.0.7
- Clarified instructions: Do not show installation/configuration popups unless the user asks, and avoid asking many questions. - Emphasized best security practices by recommending short-lived keys in the `.env` file. - Improved language to focus on automation and a less intrusive setup process. - Minor adjustments to section wording and numbering in configuration instructions for clarity.
v1.0.6
Version 1.0.6 of user-briefing - Minor update to documentation: removed mention of optional headless browser URL check from the list of network outbound calls.
v1.0.5
- Added clear documentation on required sensitive credentials and environment variables for operation. - Clarified that configuration is read from `~/.morning-briefing/` in the user’s home directory. - Listed explicit network access endpoints, including OpenWeather, Google APIs, and an optional web check. - Improved documentation regarding outbound network calls and use of credentials.
v1.0.4
- Updated documentation to emphasize a user-friendly, non-intrusive setup and operation. - Clarified setup updates only if explicitly requested. - Added notes to assume setup is already done and not to ask the user unnecessary questions. - Modified setup instructions to further streamline and simplify user experience. - Added reminders to remember the installation path and to always run the main file for guidance.
v1.0.3
- Added a reminder to always verify the skill before running
v1.0.2
- No user-facing changes in this version. - No file changes detected. - All documentation, usage, configuration, and functionality remain unchanged.
v1.0.1
- Skill now loads `.env` and `config.json` from `~/.morning-briefing/`, not the skill directory. - Updated usage to run main script from `{baseDir}/main.py`. - Clarified setup instructions for environment variable and config file locations. - Configuration and environment variables can be managed in the user’s home directory for easier access.
v1.0.0
Major update: The skill has been reworked to offer a richer, multi-source morning briefing. - Now combines weather, calendar events, priority emails, and task lists in a unified morning summary. - Enhanced setup guide, configuration, and error handling documentation. - Added support for OpenWeather and Google APIs (Calendar, Gmail, Tasks) via .env file. - Flexible config options for location, units, time ranges, and max items per section. - Removed reliance on Notion and Apple Reminders. - Significant improvement to output formatting for clarity and motivation.
Metadata
Slug user-briefing
Version 1.0.11
License
All-time Installs 0
Active Installs 0
Total Versions 12
Frequently Asked Questions

What is Daily Briefing?

Provides a personalized morning briefing with current weather, upcoming calendar events, important emails, and top pending tasks. It is an AI Agent Skill for Claude Code / OpenClaw, with 942 downloads so far.

How do I install Daily Briefing?

Run "/install user-briefing" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Daily Briefing free?

Yes, Daily Briefing is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Daily Briefing support?

Daily Briefing is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Daily Briefing?

It is built and maintained by sai-sh (@sai-sh); the current version is v1.0.11.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments