ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

phoenixclaw

v0.0.19

Passive journaling skill that scans daily conversations from ALL session paths (main, agents, cron) via cron to generate markdown journals using semantic und...

0· 3.1k·1 current·1 all-time
bybetterest@goforu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (passive journaling from session logs + memory) matches the code and SKILL.md: it enumerates OpenClaw session and memory locations, extracts messages and images, and writes Markdown journals. The required read/write paths in _meta.json align with journaling. Minor oddity: default journalPath in code points to /mnt/synology/... (an external mount) which is a surprising default but can be overridden via config.
!
Instruction Scope
The runtime instructions explicitly require scanning ALL session directories (main, agents, cron) and per-message timestamps, extracting and copying image files, preserving EXIF/GPS, and executing plugins at multiple hook points. This broad scan will read other agents' session logs and media, and the mandatory 9-step 'NEVER skip' workflow + automatic plugin execution increases the amount of user data processed and shared with plugins. The instructions also recommend registering a cron job that runs nightly and must have read/write access to many user paths.
Install Mechanism
No install spec is provided (instruction-only plus included scripts), so nothing is being downloaded from external URLs during installation. The code files are included in the skill bundle, which reduces supply-chain download risk. However, the included node scripts execute shell fallbacks (execSync) which has runtime risk if inputs are not carefully sanitized.
!
Credentials
The skill declares no required env vars, but scripts read environment variables (PHOENIXCLAW_JOURNAL_PATH, OPENCLAW_SESSIONS_PATH, TARGET_TZ) and a config at ~/.phoenixclaw/config.yaml — these are not listed as required in metadata. The manifest writes to many user directories and the code's default journal path points to an external mount. The skill also preserves EXIF/GPS from images and routes finance screenshots to a Ledger plugin: both are sensitive and justify explicit, clear consent and narrower scope.
!
Persistence & Privilege
The skill explicitly instructs registering a nightly cron job (openclaw cron add) that will run automatically and scan all sessions and media. While autonomous invocation is the platform default, combining scheduled runs + broad read/write access + plugin execution increases the blast radius if misconfigured or if a plugin is malicious. The skill does not set always:true, but cron registration implies persistent background activity and system-wide file access.
What to consider before installing
Before installing, consider the following: 1) This skill will scan all OpenClaw session logs and media (including agent/cron sessions) and copy images into a journal assets folder — that may include sensitive messages, receipts, or GPS metadata. 2) If you want journaling but with tighter privacy, change the default journal path to a safe location, limit which session directories are scanned, and disable cron registration initially. 3) Review the two included scripts (rolling-journal.js and session-day-audit.js) for the shell execSync calls and ensure inputs (paths, filenames, log contents) cannot be attacker-controlled; consider removing or sandboxing shell fallbacks. 4) Plugins: PhoenixClaw will discover and run plugins that declare depends: phoenixclaw; only enable trusted plugins (finance/ledger plugins will see payment screenshots). 5) If you proceed, test in an isolated account or VM, validate config.yaml before the skill runs, and consider stripping EXIF/GPS from images or disabling image extraction if you do not want location metadata captured. 6) If you need a cleaner security posture, ask the author to (a) explicitly declare env vars and required paths, (b) avoid executing shell fallbacks, and (c) document exact plugin discovery and permission model.
scripts/rolling-journal.js:333
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973nfq98ty99fc1yxgx09nya1834yyy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments