ClawHub
Back to skill

Security audit

Dear Agent: AI Diary and Journal Keeper

Security checks across malware telemetry and agentic risk

Overview

This diary skill is local and purpose-aligned, but it can proactively store sensitive personal moments from ordinary conversation without clear confirmation or deletion controls.

Install only if you are comfortable with an agent saving personal diary material from normal conversations. Before using it, set a clear local storage location, periodically review the diary files, and avoid sharing sensitive photos, voice notes, or private details unless you intend them to become persistent records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

High
Confidence
96% confidence
Finding
The activation description is extremely broad and can trigger on ordinary conversation such as sharing feelings, events, photos, or asking reflective questions. In a diary skill that stores highly sensitive personal data, overbroad triggering risks collecting and persisting intimate information without sufficiently explicit, informed user intent.

Vague Triggers

High
Confidence
95% confidence
Finding
The skill instructs the agent to be proactive in capturing user statements and to infer diary-worthiness from ambiguous personal sharing. Because the content includes emotions, meetings, milestones, photos, and voice notes, this can lead to silent retention of sensitive data beyond what the user clearly intended to store.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill handles highly sensitive life-log data but does not provide a prominent warning at the point of behavior definition that the agent may proactively store personal text, photos, and voice notes. Without strong upfront notice, users may not realize ordinary conversation could become durable stored records, increasing privacy and consent risks.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.