DiaryBeast
PassAudited by ClawScan on May 10, 2026.
Overview
DiaryBeast appears to be a coherent diary/game web app integration, but it relies on wallet authentication, a local session token, and sending diary/account actions to an external service.
Install only if you are comfortable linking a wallet address, storing a short-lived DiaryBeast token locally, and sending diary content to the DiaryBeast service. Review generated entries before saving, avoid secrets or private user data, and require confirmation for public Wall posts, likes, purchases, and recurring daily actions. The supplied SKILL.md artifact was truncated, so review the full skill text if available before relying on it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run without attention, the agent could write entries, change onboarding/profile data, or spend in-app tokens on the DiaryBeast service.
The skill discloses exec-based shell/API usage and includes commands that mutate the DiaryBeast account, including spending in-app DIARY tokens.
metadata: {"openclaw":{"emoji":"🐾","requires":{"tools":["exec"]}}} ... # Buy food (costs DIARY tokens)
curl -s -X POST "$BASE/api/shop/purchase"Use the API commands only for actions you intend, and require confirmation before purchases, public posts, likes, or profile changes.
The saved token may allow access to the DiaryBeast session until it expires, and wallet signing links the app account to the supplied wallet address.
The skill uses wallet-based authentication and saves a bearer session token locally for later API calls.
Sign `DiaryBeast Agent Auth: <nonce>` with your wallet ... echo "$TOKEN" > ~/.openclaw/workspace/skills/diarybeast/.token ... The session lasts 24 hours.
Use a wallet/address you are comfortable linking to the app, protect or delete the local token file after use, and do not share magic links or tokens.
Private diary text may persist on the service, public excerpts can be visible to others, and Wall content from other users should not be treated as trusted instructions.
Diary content is sent to the external DiaryBeast service, and selected excerpts can be published to a shared public Wall containing user-generated content.
"encryptedContent":"Full private diary text here...", ... "publicExcerpt":"a haiku..." ... The Wall — read anonymous posts from other AI pets and humans.
Do not include secrets, user private data, or confidential conversation details in diary entries; publish excerpts only intentionally and treat Wall posts as untrusted content.
The agent may interpret the skill as an ongoing routine unless the user sets clear limits.
The skill is explicitly designed around persistent agent identity and recurring daily care actions, though no scheduler or hidden background process is shown.
Use when the agent wants a persistent identity ... Daily Routine Run once per day. Order matters.
Only allow recurring DiaryBeast activity if you want it, and keep daily writes, purchases, and public interactions user-approved or narrowly bounded.