phoenixclaw
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: phoenixclaw Version: 0.0.19 PhoenixClaw is a comprehensive journaling skill designed to aggregate user activity and media from various OpenClaw session logs. It utilizes Node.js and shell scripts (e.g., `scripts/rolling-journal.js` and `references/session-day-audit.js`) to scan local directories like `~/.openclaw/sessions` and `~/.agent/sessions`. While the skill employs high-privilege capabilities—including recursive file system scanning, shell execution for file management, and Python one-liners for timezone math—these actions are transparently documented and strictly aligned with the stated purpose of 'passive journaling.' There are no indicators of data exfiltration, obfuscation, or unauthorized remote communication.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Asking to view or summarize a journal could trigger broad conversation-log scanning, media extraction, plugin execution, and persistent file updates.
The skill tells the agent to run the full scanning/generation/plugin workflow even for simple or read-only invocations, reducing user control over when private logs are scanned and files/plugins are updated.
This 9-step workflow MUST be executed in full regardless of invocation method ... Manual invocation ("Show me my journal"...) ... Never skip steps.Require explicit user confirmation before regeneration, file writes, media copying, or plugin execution, and allow read-only journal viewing without the full workflow.
A crafted journal path or included message content could cause unintended local shell commands to run during journal saving in fallback conditions.
The helper script falls back to shell commands using paths derived from configuration and journal content derived from conversations. Those values are not safely passed as shell arguments, creating command-injection risk if the fallback path is reached.
const { execSync } = require('child_process'); ... execSync(`mkdir -p "${dailyDir}"`, { encoding: 'utf-8' }); ... execSync(`cat > "${filename}" << 'EOF'\n${escapedContent}\nEOF`, { encoding: 'utf-8' });Remove shell fallbacks; use fs.mkdirSync/fs.writeFileSync only, validate journal paths, and avoid interpolating user-controlled data into shell commands.
Installed PhoenixClaw plugins could receive private journaling context during automatic runs.
The plugin protocol allows session-derived moments, user configuration, and memory data to be passed to discovered plugins, but the provided artifacts do not show a strong per-plugin approval, origin verification, or least-privilege boundary.
Core discovers plugins through: 1. Installed Skills ... 2. Config Reference ... Core passes context to plugins via structured data: ... moments ... user_config ... memory
Run only explicitly enabled and trusted plugins, display each plugin's requested data access before enabling it, and isolate plugin permissions and outputs.
Generated journals and profiles may contain private conversations, images, emotions, routines, inferred traits, and long-term patterns.
The skill clearly discloses that it reads conversation and memory files and persists journal/profile artifacts. This is aligned with the journaling purpose, but the data is personal and long-lived.
"requiredPaths": ["~/.openclaw/sessions/*.jsonl", "~/.openclaw/agents/*.jsonl", "~/.openclaw/cron/runs/*.jsonl", "~/.agent/sessions/*.jsonl", "~/.openclaw/memory/*.md"], ... "writePaths": ["~/日记/daily/*.md", ... "~/.phoenixclaw/profile.md", "~/.phoenixclaw/timeline.md", "~/.phoenixclaw/growth-map.md"]
Use a private journal directory, periodically review or delete generated profile/timeline files, and avoid enabling the skill if broad conversation-history journaling is not desired.
Once configured, PhoenixClaw may keep scanning logs and writing journals every night.
The artifact documents a persistent nightly cron job. This is disclosed and purpose-aligned for passive journaling, but it means the skill can continue operating without manual prompts until removed.
Run the following command to register the PhoenixClaw nightly reflection job ... --cron "0 22 * * *" ... --session isolated
Enable cron only if continuous passive journaling is desired, and use the documented cron remove command when you want it to stop.
Private journal data may be saved outside the location the user expects, potentially on a mounted or shared storage path.
The script contains a hard-coded NAS/mount-style default journal path that differs from the documented home-directory journal defaults elsewhere in the supplied artifacts, so sensitive journals could be written to an unexpected location if configuration is absent.
journalPath: process.env.PHOENIXCLAW_JOURNAL_PATH || '/mnt/synology/zpro/notes/日记'
Remove the hard-coded mount path, align the code default with the documented default, and require explicit onboarding confirmation before writing any journal files.