Claw Diary

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed local diary/logger for agent activity, with persistence and an external CLI dependency that users should understand before installing.

Install this only if you want a local record of agent activity kept on your machine. Review or trust the external `claw-diary` npm package before global installation, avoid letting secrets appear in recorded sessions, periodically inspect `~/.claw-diary/`, and clear the diary when you no longer want that history retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill advertises 'always-on' recording of all agent activity but does not present any explicit privacy warning, consent flow, retention policy, or notice about potentially sensitive content being captured. Because agent activity may include prompts, tool outputs, file paths, secrets, or personal data, silent continuous logging creates a real privacy and data-protection risk even if the feature is intended.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal