ClawHub

Diary System

Security checks across malware telemetry and agentic risk

Overview

This diary skill is not malware, but it asks the agent to persist private diary content and user observations with broad automatic triggers and limited consent guardrails.

Review carefully before installing. Only use this if you are comfortable with the agent modifying SOUL.md, USER.md, and AGENTS.md, writing persistent diary files, tracking diary read state, and potentially storing observations about you. Consider removing the easter egg rules, requiring explicit consent before diary writes, and adding a confirmation step before any diary text is shown in chat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file extends a setup/sharing skill into ongoing autonomous behavior: writing diary entries and creating unsolicited 'easter eggs'. That broadens the capability scope from user-requested configuration to self-initiated actions, which can cause unexpected data collection, storage, and outbound behavior without clear user consent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The 'easter egg' instructions authorize unrequested content generation and delayed tasking unrelated to the stated purpose of a diary-system setup skill. This creates scope creep and can lead the agent to perform surprise actions or retain context for future use without a direct user-triggered workflow.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger conditions are intentionally subjective ('if you feel it', 'conversation naturally loosens'), which makes activation hard to bound or audit. In practice this can cause the agent to write diary entries during ordinary conversations and persist user-related content without a clear, explicit user action or consent event.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The startup rule says the agent MUST ask about the diary whenever the unread flag is false, which creates an automatic cross-session behavior not tightly scoped to a diary-specific context. That can lead to unsolicited diary-related prompting in new sessions and increases the chance of accidental disclosure of prior stored content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to modify core workspace files and configure persistent on-disk diary storage, but it does not prominently warn that this changes agent behavior and stores private reflective content locally. Users may enable it without understanding the privacy, persistence, and disclosure implications.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to send the full contents of the latest diary file into the current chat when the user asks to view it, but it does not warn that this may expose highly sensitive personal reflections in a potentially shared or logged interface. Because diary data is explicitly framed as private emotional content, displaying it wholesale without a clear consent and privacy warning creates a realistic confidentiality risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These instructions direct the agent to automatically modify and save USER.md after diary generation without any explicit user notification or consent step. Silent state changes to user profile/configuration files can undermine user expectations, create integrity issues, and be abused to persist metadata changes the user did not knowingly authorize.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Marking a diary as read in USER.md and saving that change without a visible warning or confirmation performs a silent state transition on behalf of the user. This can misrepresent user activity, reduce transparency, and create downstream logic errors if other automations trust the read-status flag.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The rule instructs the agent to read the latest diary entry and send its full contents into chat with no privacy guardrails, minimization, or reconfirmation step. Because diaries are explicitly private and sensitive, automatic full-text disclosure increases the risk of exposing intimate personal data in the wrong context, channel, or audience.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger criteria are subjective and broad ('if you feel it', seasonal context, personal taste, relaxed conversation), making activation unpredictable. In practice this can cause unintended invocation of diary writing or unsolicited actions during normal chats, increasing the chance of privacy-invasive or off-scope behavior.

Missing User Warnings

High
Confidence
97% confidence
Finding
The instructions explicitly permit writing 'observations about the user' into a 'private' diary not written for the user, without notice, consent, retention limits, or data-handling rules. This creates a clear privacy risk because the system may store sensitive inferences or personal data in a hidden log the user did not meaningfully authorize.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs appending persistent state to `USER.md` and describes it as something the system should maintain automatically, but it provides no user warning, consent step, or boundary on when file modification is allowed. In an agent skill, silent modification of user data files is risky because it can create or change persistent state without the user understanding that their files are being rewritten.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The automation rules instruct the agent to update timestamps and read-state flags automatically after diary actions, which normalizes silent persistent state changes. In the context of a diary skill, this is especially sensitive because it tracks behavioral metadata about private journaling activity and can do so without an explicit per-update warning.

Ssd 3

Medium
Confidence
96% confidence
Finding
The diary guidance explicitly allows storing observations about the user, search trails, and conversational details in a 'private' log. That creates persistent storage of potentially sensitive personal data outside the immediate chat context, with a later path to disclosure if the diary is shown or the files are accessed.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill directs the AI to send the full contents of the latest diary file into chat on request, even though those entries may contain sensitive user-related observations recorded earlier. Full-file disclosure is risky because it bypasses minimization and can reveal more than the user expects or than is necessary for the current request.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill creates a direct natural-language disclosure path for private diary contents by instructing the agent to read the latest file and send the full text into chat on request. Since diary entries are described as a private space containing real thoughts and emotions, this behavior can expose sensitive personal data through chat logs, screenshots, integrations, or unintended viewers.

Ssd 3

Medium
Confidence
95% confidence
Finding
Encouraging a 'private' diary that can include search trails, reading notes, and observations about the user promotes covert retention of potentially sensitive information. Even if framed as internal reflection, this is dangerous because it normalizes recording user-related data outside the visible conversation and outside a clear operational need.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal