ClawHub

Devlog Skill

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward developer journaling skill that installs and uses a local logging CLI, with persistence and package-install risks users should understand.

Install only if you are comfortable with setup.sh installing Python tooling and dev-log-cli from PyPI. Treat devlog entries as persistent local records: avoid logging secrets, credentials, customer data, sensitive incident details, or confidential project information unless you have verified where dev-log-cli stores its SQLite database and how to delete or redact entries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly states that it stores project milestones, task statuses, and context in a structured SQLite database, but it does not warn users that invoking the skill will persist potentially sensitive project information locally. In an agent setting, that can lead to unintentional retention of secrets, internal project names, incident details, or other sensitive operational context.

Context Leakage

High
Category
Data Exfiltration
Content
A standardized journaling skill for OpenClaw agents to track progress, tasks, and project status using `dev-log-cli`.

## Description
This skill enables agents to maintain a professional developer log. It's designed to capture context, project milestones, and task statuses in a structured SQLite database.

## Requirements
- `dev-log-cli` (installed via `pipx`)
Confidence
84% confidence
Finding
capture context

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal