Xinqing Journal

Security checks across malware telemetry and agentic risk

Overview

This is a local mood-journal tool that stores diary data on disk and shows no evidence of hidden network activity, automatic execution, or destructive behavior.

Install only if you are comfortable storing personal journal and mood data locally in the OpenClaw workspace. Treat the data file as sensitive, include it carefully in backups, and do not assume the anonymized export is fully anonymous because it can still include dates, tags, moods, and scores.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Low

Confidence: 94% confidence
Finding: The skill advertises privacy-preserving local storage, but it stores the full unredacted diary text in `raw_text` in addition to cleaned content. This increases exposure of sensitive personal data if the local file is accessed, backed up, exported, or read by another local process, and it conflicts with the stated privacy expectations.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The `anonymize` export mode is documented as keeping only aggregate mood statistics, but it still exports per-entry identifiers, dates, moods, scores, and tags. That dataset can still reveal behavioral patterns and may be re-identifiable, especially for personal journals with sparse entries or distinctive tags.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal