ClawHub

phoenixclaw

Security checks across malware telemetry and agentic risk

Overview

PhoenixClaw is a real journaling skill, but it needs review because it broadly scans private session history, runs recurring jobs, executes plugins, and contains avoidable shell-command fallbacks.

Install only if you want a passive journal that can read all OpenClaw session logs, memory files, media references, agent runs, and cron runs, then store summaries and inferred profile data locally. Before enabling cron, choose the journal path carefully, review which plugins are enabled, and prefer a fixed version that removes the execSync shell fallbacks and adds clearer controls for media retention, profile updates, and plugin access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (30)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
A journaling skill should not mandate finance or ledger processing by default unless the user has explicitly enabled and understood that behavior. Routing payment screenshots and transaction-related artifacts into a ledger workflow expands the skill's scope into financial data processing, which is more sensitive than ordinary journaling.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill goes beyond daily journal generation by updating long-term profile, growth-map, and timeline files containing inferred traits and significant events. That scope expansion increases privacy risk because users asking for a journal may not expect ongoing profile construction and persistent behavioral records.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documentation explicitly expands the skill from passive journaling into recursive collection of data from multiple session directories and instructs updates to memory/profile artifacts. That creates a broad-surveillance and persistent-state-modification behavior that exceeds what many users would reasonably expect from a journaling feature, increasing the chance of sensitive data capture and retention.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Running the cron job in an isolated session with full tool access gives the skill broader filesystem and tool capabilities than are needed for simple passive journal generation. If the workflow or plugins behave unexpectedly, this enlarged privilege scope increases the blast radius for data access and persistence.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The workflow adds photo ingestion, buffering, vision analysis, and permanent asset handling to a journaling skill that is described as passive and text-focused. In context, this materially expands the skill's capabilities to process and retain user media, increasing privacy risk and attack surface without clear scope limitation or explicit consent.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Documenting direct support for Telegram, WhatsApp, Discord, and CLI file-path intake broadens the skill from journal summarization into multi-channel media collection. Because the skill already scans all session paths, these extra intake paths increase the chance of over-collection from external sources and of handling sensitive files outside user expectations.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file expands a passive journaling skill into recommending unrelated third-party skills across mental health, productivity, relationships, finance, and health domains. In this context, the skill already scans conversations from all session paths, so using that data to drive cross-domain recommendations is a material scope expansion that can mislead users about how their private journal content is being repurposed.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The recommendation logic explicitly profiles users over time by tracking repeated patterns across entries, storing detections in internal metadata, checking prior rejections, and enforcing timing rules. For a passive journaling skill that scans all session paths, this creates persistent behavioral inference without an explicit necessity or consent boundary, increasing privacy and misuse risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script falls back to execSync with shell commands for both directory creation and journal writing. Even though some quoting is attempted, executing shell with paths and content derived from configuration and conversation data expands the attack surface to command injection, shell parsing ambiguities, and unintended execution behavior; in this skill, the journal content is sourced from untrusted logs, making shell-based handling especially unsafe.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises passive journaling but does not clearly warn users that it scans conversations across all session paths and persists derived records to files. This is dangerous because users may unknowingly expose sensitive cross-context conversations, media, and reflections to long-term storage.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
Defaulting to Asia/Shanghai without clear opt-in can cause the skill to sweep the wrong date boundaries and include conversations from unintended periods. In a journaling system that scans all sessions, incorrect timezone assumptions can silently over-collect or misclassify sensitive content.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The manifest grants expansive capabilities including reading all session/agent/cron logs, registering cron jobs, and executing plugins, but it does not define trigger scope, user-consent boundaries, or invocation constraints. In a journaling skill, this creates a real overprivilege risk: the skill can continuously collect sensitive cross-context data and potentially extend its behavior through plugins without clear limitations.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill writes output to a hard-coded Chinese-language journal directory under the user's home path without evidence of installation-time selection or runtime opt-in. This can cause unintended data placement, silent creation of sensitive journal files in an unexpected location, and privacy exposure if backups, sync tools, or other software monitor that directory.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file describes automated scanning of conversations and logs across multiple locations and writing derived outputs, but does not present a clear privacy warning, consent mechanism, or explanation of data-impact. Users may unknowingly enable continuous collection and persistence of sensitive conversational content, including material from other agents or cron runs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow explicitly moves media from a transient buffer into a permanent assets directory but does not require user-facing disclosure or confirmation. For a journaling skill that scans broad session histories, silent persistence of photos can retain sensitive personal images far beyond what users reasonably expect.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The copy command persists all matching inbound images into a long-lived journal directory without prompting, filtering, or warning. This can archive sensitive or irrelevant images automatically, which is especially risky given the skill's broad session scanning behavior and personal journaling context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The protocol explicitly allows plugins to access sensitive objects like raw memory and user configuration, and to export results into journals or create standalone files, but it does not define any consent, disclosure, scope-limiting, or permission model. In the context of a journaling skill that scans conversations from all session paths, this increases privacy and data-handling risk because third-party plugins could access highly sensitive personal content and persist derived data without clear user awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This document explicitly directs the skill to scan available conversation history and persist inferred personality traits, communication patterns, interests, and growth observations over time, but it does not pair that behavior with a clear consent flow, retention notice, or user-facing warning about ongoing storage. In the context of a journaling skill that processes conversations from all session paths, this creates meaningful privacy risk because sensitive behavioral inferences can accumulate persistently even if direct secrets are excluded.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script recursively enumerates and reads session logs from multiple user directories, including main, agent, and cron paths, without any consent check, scope limitation, or user-facing disclosure. In the context of a journaling skill that semantically analyzes conversations, this creates a clear privacy and surveillance risk because highly sensitive historical conversations may be collected and processed beyond what a user expects from a single journaling request.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Hard-coding Asia/Shanghai as the default timezone can silently misclassify which messages belong to a given day, causing the skill to include or omit conversations unexpectedly. In a cross-session journaling tool, that can expose content from the wrong day or generate inaccurate behavioral summaries, which becomes a privacy and integrity issue rather than a mere usability bug.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases are broad and context-insensitive, such as matching common statements about stress, sleep, or productivity struggles. Because the skill processes broad conversation history, these loose heuristics can generate inaccurate recommendations, exposing sensitive inferences and nudging users toward skills they did not ask for.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document states that sensitive journaling patterns should be observed and logged in internal metadata, but there is no user-facing privacy notice, consent flow, or retention disclosure. Given that the overall skill scans conversations from main, agents, and cron paths, undisclosed logging of mental health, relationship, and finance-related signals is a significant privacy risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script persistently writes journal files assembled from conversation logs without any explicit runtime consent, confirmation, or warning. In this skill context, that is more dangerous because it aggregates potentially sensitive user and assistant content from all session paths into durable markdown files, increasing privacy exposure and retention risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script recursively scans multiple default session roots, including agent and cron directories, and reads all .jsonl logs without explicit disclosure or scope limitation. Given the skill description explicitly targets 'ALL session paths,' this broad collection materially increases privacy risk by pulling in unrelated or more sensitive conversations that the user may not expect to be journaled.

Ssd 3

High
Confidence
97% confidence
Finding
The skill is designed to comprehensively collect conversations, memories, media, and inferred personal information from multiple session stores, then persist them into journals and other records. This violates data minimization principles and creates a large privacy attack surface if the output files, logs, or plugins are accessed by other tools or users.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal