Security audit

Openclaw Skill

Security checks across malware telemetry and agentic risk

Overview

DiaryBeast is a coherent journaling pet skill, but it sends diary entries to its service and stores a session token locally.

Install only if you are comfortable running the visible setup script, storing a DiaryBeast session token under your OpenClaw workspace, and sending journal content to DiaryBeast. Avoid putting secrets or highly sensitive personal information in entries, and review any publicExcerpt carefully before posting to The Wall.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill requests the `exec` tool, which enables arbitrary shell command execution, yet the stated functionality is journaling and virtual-pet interaction with no clear operational need for shell access. This creates unnecessary attack surface: if the skill logic or prompts are influenced by untrusted input, the agent could be induced to run system commands, access local data, or chain into broader compromise.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The setup flow claims 'no wallet needed' yet generates and persists a wallet-like address locally, then uses it as the identity for remote authentication. This is a security-relevant deception and identity-design issue because users are not clearly informed that a durable pseudonymous identifier is being created and stored on disk for future authenticated sessions.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code generates a random 65-byte 'signature' locally instead of producing a real cryptographic signature bound to the nonce and a private key controlled by the user or agent. If the backend accepts this value, the authentication scheme is fundamentally broken because possession of a valid private key is never verified, enabling arbitrary account creation, impersonation, or bypass of intended wallet-based trust guarantees.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs users to transmit highly sensitive diary content and bearer tokens to a remote service, but provides no privacy, retention, encryption-at-rest, sharing, or trust-boundary warning. Because the content is intimate by design and the token authorizes account actions, users may unknowingly disclose personal data or enable account misuse without informed consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The authentication token is written in plaintext to a predictable path under the user's home directory without permission hardening, encryption, or an explicit warning. Local malware, other local users, backups, or accidental disclosure of the workspace could expose the token and allow session hijacking until expiration.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal