auto-diary

Security checks across malware telemetry and agentic risk

Overview

This is a real diary automation skill, but it can automatically summarize private workspace memory and send parts of it to a fixed Feishu chat.

Install only if the Feishu chat ID is yours and you are comfortable with OpenClaw workspace memory and diary summaries being posted there on a schedule. Before enabling cron, make Feishu delivery configurable or disable it, and periodically review diary and auto-learn outputs for sensitive content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill clearly performs file reads, file writes, and cron/shell-oriented setup actions, yet it declares no permissions or capability boundaries. This weakens reviewability and can cause the agent to execute broader operations than a user would reasonably infer from the metadata, especially in an automated scheduled context.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The declared description says the skill writes diary summaries and extracts insights, but the body also reads multiple workspace files and sends generated content to an external Feishu destination via a hardcoded chat ID. This mismatch is dangerous because reviewers and users may approve a seemingly local journaling skill without realizing it performs outbound disclosure of aggregated memory content.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill sends diary-derived content and insights to an external Feishu chat but does not present a clear warning in the user-facing description that local memory content may be disclosed externally. Users could unknowingly enable scheduled exfiltration of sensitive operational notes, reflections, and status data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script reads private diary entries, extracts summaries/decisions, and prints a consolidated prompt to stdout. In agentic or logged environments, stdout is often captured by logs, orchestration systems, or downstream tools, creating an unintended disclosure path for sensitive personal information.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script reads diary entries directly from a fixed path under the user's home directory and then packages their contents for output, without any consent check, disclosure, or access scoping. In an agent skill that automates summaries and downstream sharing, this creates a real privacy risk because sensitive personal notes can be exfiltrated or transmitted to external systems unexpectedly.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script reads multiple potentially sensitive local files—daily memory, NOW.md, farm state, and recent auto-learn entries—and aggregates them into a single context blob without notice, consent, or minimization. In the context of an AI diary generator, this increases the risk that private data is silently ingested and then reproduced in generated diary content or downstream systems.

Ssd 3

Medium

Confidence: 99% confidence
Finding: The workflow explicitly reads local memory, status, and diary-related files, summarizes them into natural language, appends learnings to persistent storage, and pushes content to an external Feishu chat. This creates a direct data disclosure path from potentially sensitive internal notes and system state into an external messaging system, with increased risk because summarization can surface sensitive facts users did not intend to share.

Ssd 3

Medium

Confidence: 89% confidence
Finding: The prompt explicitly instructs appending 'valuable insights' from private diary content into a long-lived memory file. This creates a persistent data-retention channel that may store sensitive personal information in a secondary location, increasing exposure, discoverability, and unintended reuse by other agents or tools.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The script collects broad prior memory and state, then feeds it into a prompt that asks for structured persistent diary output with summaries, decisions, lessons, and system-facing notes. Without any filtering, classification, or scoping, sensitive user content can be copied into durable artifacts, creating a clear confidentiality risk and an opportunity for prompt-injected memory content to influence what gets retained.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The prompt explicitly asks for 'System Notes' as raw information for another system, and the extraction pipeline appends derived content into auto-learn.md as long-term memory. That design encourages preservation and propagation of contextual material across systems and time, which can leak sensitive data far beyond the original diary-generation purpose.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal