ClawHub

Dailylog

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local daily journaling skill whose file storage and export behavior fit its purpose, but users should understand that journal data is kept as plaintext local files.

Install only if you are comfortable with journal entries being saved locally in plaintext. Avoid entering secrets or highly sensitive personal information on shared or synced machines, review the storage and export locations, and delete or protect log files when they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill stores potentially sensitive personal reflections, plans, reminders, and activity history in plain-text files under a predictable local path without clearly warning users about the privacy implications. On shared systems, backed-up home directories, compromised accounts, or lax file permissions, this can expose intimate or operationally sensitive information that users may not realize is being retained.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The command stores arbitrary user reflections persistently under ~/.local/share/dailylog without any explicit consent, retention notice, or privacy warning. In the context of a journaling/reflection skill, users are likely to enter sensitive personal information, making silent on-disk retention a meaningful privacy risk if the host is shared, backed up, or later inspected.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The export feature aggregates all stored logs into a new file on disk, potentially duplicating sensitive journal content into broader, easier-to-share formats without a prominent warning. For a reflection tool, this increases the privacy exposure surface because intimate entries may be copied into plaintext JSON/CSV/TXT files that persist and may be synced, backed up, or accessed by other local users.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal