phoenixclaw
WarnAudited by ClawScan on May 10, 2026.
Overview
This journaling skill is review-worthy because it broadly reads private OpenClaw history, can run nightly and execute plugins, and includes unsafe shell-based file-write fallbacks.
Only install or enable cron if you are comfortable with nightly processing of all OpenClaw/.agent conversations, memory files, and media into persistent local journals and profiles. Before use, set an explicit private journal path, review enabled PhoenixClaw plugins, and ask the maintainer to remove the shell exec fallbacks and the hard-coded /mnt/synology default.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Asking to view or summarize a journal could trigger broad conversation-log scanning, media extraction, plugin execution, and persistent file updates.
The skill tells the agent to run the full scanning/generation/plugin workflow even for simple or read-only invocations, reducing user control over when private logs are scanned and files/plugins are updated.
This 9-step workflow MUST be executed in full regardless of invocation method ... Manual invocation ("Show me my journal"...) ... Never skip steps.Require explicit user confirmation before regeneration, file writes, media copying, or plugin execution, and allow read-only journal viewing without the full workflow.
A crafted journal path or included message content could cause unintended local shell commands to run during journal saving in fallback conditions.
The helper script falls back to shell commands using paths derived from configuration and journal content derived from conversations. Those values are not safely passed as shell arguments, creating command-injection risk if the fallback path is reached.
const { execSync } = require('child_process'); ... execSync(`mkdir -p "${dailyDir}"`, { encoding: 'utf-8' }); ... execSync(`cat > "${filename}" << 'EOF'\n${escapedContent}\nEOF`, { encoding: 'utf-8' });Remove shell fallbacks; use fs.mkdirSync/fs.writeFileSync only, validate journal paths, and avoid interpolating user-controlled data into shell commands.
Installed PhoenixClaw plugins could receive private journaling context during automatic runs.
The plugin protocol allows session-derived moments, user configuration, and memory data to be passed to discovered plugins, but the provided artifacts do not show a strong per-plugin approval, origin verification, or least-privilege boundary.
Core discovers plugins through: 1. Installed Skills ... 2. Config Reference ... Core passes context to plugins via structured data: ... moments ... user_config ... memory
Run only explicitly enabled and trusted plugins, display each plugin's requested data access before enabling it, and isolate plugin permissions and outputs.
Generated journals and profiles may contain private conversations, images, emotions, routines, inferred traits, and long-term patterns.
The skill clearly discloses that it reads conversation and memory files and persists journal/profile artifacts. This is aligned with the journaling purpose, but the data is personal and long-lived.
"requiredPaths": ["~/.openclaw/sessions/*.jsonl", "~/.openclaw/agents/*.jsonl", "~/.openclaw/cron/runs/*.jsonl", "~/.agent/sessions/*.jsonl", "~/.openclaw/memory/*.md"], ... "writePaths": ["~/日记/daily/*.md", ... "~/.phoenixclaw/profile.md", "~/.phoenixclaw/timeline.md", "~/.phoenixclaw/growth-map.md"]
Use a private journal directory, periodically review or delete generated profile/timeline files, and avoid enabling the skill if broad conversation-history journaling is not desired.
Once configured, PhoenixClaw may keep scanning logs and writing journals every night.
The artifact documents a persistent nightly cron job. This is disclosed and purpose-aligned for passive journaling, but it means the skill can continue operating without manual prompts until removed.
Run the following command to register the PhoenixClaw nightly reflection job ... --cron "0 22 * * *" ... --session isolated
Enable cron only if continuous passive journaling is desired, and use the documented cron remove command when you want it to stop.
Private journal data may be saved outside the location the user expects, potentially on a mounted or shared storage path.
The script contains a hard-coded NAS/mount-style default journal path that differs from the documented home-directory journal defaults elsewhere in the supplied artifacts, so sensitive journals could be written to an unexpected location if configuration is absent.
journalPath: process.env.PHOENIXCLAW_JOURNAL_PATH || '/mnt/synology/zpro/notes/日记'
Remove the hard-coded mount path, align the code default with the documented default, and require explicit onboarding confirmation before writing any journal files.