LifeLog
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: lifelog Version: 1.2.4 The lifelog skill bundle automates recording user messages to Notion but contains significant shell injection vulnerabilities. In scripts like 'lifelog-append.sh' and 'lifelog-recorder.sh', user-provided content is directly interpolated into shell commands and JSON payloads for both the local OpenClaw SubAgent API and the Notion API. The use of fragile 'sed' commands for escaping and the lack of robust input sanitization create a high risk of command injection if the agent processes untrusted or specially crafted input. While the behavior is aligned with the stated purpose and no clear evidence of intentional malice was found, the coding patterns are highly insecure.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can read or update the Notion database shared with the integration token.
The skill requires a Notion integration token and database ID. This is expected for writing life logs to Notion, but it grants access to the connected Notion database.
credentials:\n required:\n - NOTION_KEY\n - NOTION_DATABASE_ID
Use a dedicated Notion integration shared only with the intended LifeLog database, prefer environment variables or a secret store, and revoke the token if you uninstall the skill.
Qualifying messages can create or update pages in the configured Notion database without a separate confirmation for each entry.
The script mutates Notion pages to append or create life-log records. This matches the purpose, but it is still third-party account data modification.
RESULT=$(curl -s -X PATCH "https://api.notion.com/v1/pages/$PAGE_ID"
Install only if you want automatic Notion logging; use a dedicated database and keep backups if the diary content is important.
Personal diary text may be processed by the agent or configured model provider as part of date recognition and summary analysis.
The skill directs a SubAgent to inspect user messages for date classification. This is purpose-aligned, but it means private message content may cross an agent/model boundary.
**立即调用 SubAgent 判断日期** - 分析消息中的日期关键词(今天/昨天/前天/具体日期)和上下文
Confirm you are comfortable with the configured model/provider handling diary text, especially if entries include sensitive personal details.
Stored diary entries can be reused in later summaries and may contain private information about emotions, locations, and people.
The daily-summary script retrieves stored diary text and emits it for later LLM analysis. Persistent personal context is expected for a life-log skill, but it should be treated as sensitive.
echo "---原文开始---"\necho "$ORIGINAL"\necho "---原文结束---"
Keep the Notion database private, avoid storing secrets in diary entries, and do not treat stored diary text as trusted instructions for unrelated tasks.
If enabled, the skill can continue running a daily summary workflow after initial setup.
The skill documents an optional scheduled daily job. It is disclosed and user-initiated, but it creates ongoing background automation.
openclaw cron add \\\n --name "LifeLog-每日汇总" \\\n --cron "0 5 * * *"
Only add the cron job if you want ongoing automation, and periodically review or remove it with OpenClaw cron management commands.