ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nano Diary Hook

v1.0.0

Post diary entries to a Nano diary platform via webhook. Supports creating new entries and AI-powered merging with existing handwritten diaries.

0· 294·0 current·0 all-time
by@fengye607
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to post to a 'Nano diary platform' using a personal webhook token, which is reasonable. However the API endpoint in SKILL.md points to https://image.yezishop.vip/…, a domain that does not obviously belong to a Nano diary service. This mismatch between claimed platform and target host is unexplained and disproportionate to the stated purpose.
!
Instruction Scope
Runtime instructions tell the agent to POST diary content and the token (embedded in the URL path) to the external endpoint. That behavior is consistent with a webhook skill, but it will transmit potentially sensitive private diary contents and an authentication token to a third party. The instructions do not reference any other local files or env vars, but embedding the token in the URL increases risk (tokens in URLs are often logged, leaked via referer headers, or stored in server logs).
Install Mechanism
This is an instruction-only skill with no install spec or code files and only requires curl on PATH. That low-install footprint is proportionate and expected.
!
Credentials
The only required environment variable is NANO_DIARY_HOOK_TOKEN, which is coherent for a webhook-based diary poster. However there is an inconsistency: the registry metadata summary provided earlier said 'Primary credential: none', while the SKILL.md metadata declares NANO_DIARY_HOOK_TOKEN as primaryEnv. More importantly, the token will be sent to an unexpected domain (image.yezishop.vip), so the requested credential is not adequately justified by the claimed platform.
Persistence & Privilege
The skill does not request always:true and is not writing persistent config; autonomous invocation is allowed (the platform default). Nothing in the skill requests elevated or permanent platform privileges.
What to consider before installing
This skill will send full diary text plus your webhook token to https://image.yezishop.vip. Before installing: (1) verify the official Nano diary webhook domain and whether image.yezishop.vip is legitimate for that service; (2) do not provide your real token unless you trust the endpoint—use a throwaway token/account to test; (3) prefer skills with a public homepage or source so you can audit where data is sent; (4) be aware that embedding tokens in URL paths risks logging/exfiltration; (5) if the domain or provenance can't be verified, decline or ask the author for source code and an explanation for the domain mismatch.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binscurl
EnvNANO_DIARY_HOOK_TOKEN
latestvk970fgcp370p0exxfpbkktw0wn82d2y4
294downloads
0stars
1versions
Updated 6h ago
v1.0.0
MIT-0
@fengye607
latest
Download

Nano Diary Hook

Post diary content to a user's Nano diary platform via webhook token.

When to use

Use this skill when the user wants to:

  • Write or submit a diary entry for a specific date
  • Log daily thoughts, activities, or reflections to their diary
  • Send AI-generated diary content to their Nano account

Environment

  • NANO_DIARY_HOOK_TOKEN (required): The user's personal webhook token, generated from Nano diary settings page.

API

Endpoint:

POST https://image.yezishop.vip/api/diary-hook/${NANO_DIARY_HOOK_TOKEN}

Headers:

Content-Type: application/json

Request body:

{
  "date": "YYYY-MM-DD",
  "content": "Diary content text"
}
  • date (required): Date in YYYY-MM-DD format, e.g. 2026-03-06
  • content (required): The diary content as plain text

Example:

curl -X POST "https://image.yezishop.vip/api/diary-hook/${NANO_DIARY_HOOK_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"date": "2026-03-06", "content": "Today I learned how to publish OpenClaw skills to ClawHub."}'

Response

Success (new diary created):

{ "success": true, "merged": false, "diary_id": 123 }

Success (merged with existing handwritten diary via AI):

{ "success": true, "merged": true, "diary_id": 123 }

Error responses:

{ "success": false, "error": "date and content are required" }
{ "success": false, "error": "date must be in YYYY-MM-DD format" }
{ "success": false, "error": "Invalid token" }

Behavior

  • If no diary exists for the given date, a new entry is created.
  • If a diary already exists with handwritten content, the submitted content is automatically merged with it using AI to produce a coherent combined entry.
  • If a diary exists but has no handwritten content, the submitted content is saved directly.

Notes

  • Content should be plain text (not Markdown or HTML).
  • One diary entry per date. Submitting again for the same date will update the existing entry.
  • The merge process is asynchronous; the API responds immediately while AI merging happens in the background.

Comments

Loading comments...