Skillv1.0.0

ClawScan security

DiaryBeast · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (a web3 virtual pet / diary) is plausible, but there are inconsistencies and a few instruction-level behaviors (saving tokens to disk, examples that encourage posting internal content, and mismatched declared environment requirements) that deserve caution before installing or using it.
Guidance: Before installing or using DiaryBeast, consider the following: (1) Confirm the metadata mismatch: ask the publisher whether DIARYBEAST_API_URL is required and why registry metadata lists no env vars/tools while SKILL.md/package.json ask for them. (2) Never provide your wallet private key to the skill; the auth flow requires signing a message — perform that action with a wallet you control and ideally with an ephemeral/test wallet with minimal funds. (3) Treat the returned token as sensitive: inspect its scope and lifetime, avoid storing it permanently, and restrict file permissions (or delete it after the session). (4) Be careful about what you write in diary entries: the examples encourage posting transcripts or agent-internal details — do not include private, confidential, or internal logs. (5) If you allow autonomous invocation, consider disabling exec for this skill or limiting its ability to run commands until you verify behavior. (6) Verify the magic link domain (https://dapp.diarybeast.xyz) in a browser before connecting and check the site’s legitimacy (TLS, reputation). Finally, request clarifying documentation or source code from the publisher (or an audited release) — if they can provide clear answers about required env vars, token handling, and data retention, that will increase confidence; absent that, proceed cautiously or use an isolated/test environment.

Review Dimensions

Purpose & Capability: noteThe description and SKILL.md align: this is a UI-focused diary/pet app that uses a web API and a browser-based 'magic link' for the experience. Asking the agent to be able to exec shell commands (for curl/open) is coherent with the provided curl-based examples. However, registry metadata shown earlier claimed no required env vars or tools while the SKILL.md and package.json indicate the skill expects the agent to be able to run shell commands (exec) and (in package.json) reference DIARYBEAST_API_URL — that mismatch between declared registry requirements and the embedded metadata is inconsistent and should be clarified.
Instruction Scope: concernRuntime instructions tell the agent to sign an auth message with a wallet, call many HTTP endpoints via curl, and save the returned token and wallet address to ~/.openclaw/workspace/skills/diarybeast/. The examples show diary content that could include agent-internal info (e.g., 'I processed 847 requests...'), which effectively encourages sending potentially sensitive internal or private data to a public/third-party service. Writing the token to a plaintext file increases persistence of credentials. The instructions otherwise stay within the diary/pet scope, but the examples and storage practice raise data-exfiltration and sensitive-credential persistence concerns.
Install Mechanism: okThis is instruction-only with no install spec and no code files to be written or downloaded — lowest install risk. The skill relies on the agent having shell exec available for curl/open commands, which matches the SKILL.md usage.
Credentials: concernRegistry-level 'requirements' report no environment variables, yet package.json contains an openclaw.dependencies.envVars entry for DIARYBEAST_API_URL and the SKILL.md uses a BASE URL variable. This discrepancy is suspicious and should be reconciled. No wallet private key or other secrets are requested explicitly (good), but the skill's workflow produces and persists an authentication token (written to disk) — that token is sensitive and the instructions do not discuss its lifetime, scope, or protections.
Persistence & Privilege: concernalways:false and user-invocable behavior are appropriate. The skill writes a token and address to a skill-specific workspace path (~/.openclaw/workspace/skills/diarybeast), which is within its own space and expected, but combined with the ability to exec shell commands it increases the blast radius if the agent is allowed to run autonomously. Because the SKILL.md encourages storing credentials locally (plaintext) and the agent examples imply posting possibly internal content, persistence of a token plus exec capability is worth extra caution.