Back to skill

Security audit

phoenixclaw

Security checks across malware telemetry and agentic risk

Overview

PhoenixClaw appears to be a real journaling skill, but it needs review because it can automatically read broad private session history, store personal/media-derived records, and run plugins on a schedule.

Install only if you deliberately want a background journaling system that can read all OpenClaw session, agent, cron, and memory logs, copy media into a journal, infer long-term personal patterns, and run PhoenixClaw plugins. Before enabling cron, review the journal path, enabled plugins, media retention, profile/growth updates, and prefer a version that removes shell fallbacks and adds clear per-source and per-plugin controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (39)

Lp3

Medium
Category
MCP Least Privilege
Confidence
79% confidence
Finding
The skill invokes environment-dependent behavior by reading paths under the user's home directory and referencing environment variables like TARGET_TZ, but does not declare corresponding permissions. That creates a capability/permission mismatch where the skill can access local context and filesystem-derived data beyond what a reviewer may expect from the manifest alone.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The declared description frames the skill as passive journaling, but the body also includes auditing, configuration-driven external writes, subprocess fallbacks, and behavior that can alter files outside the journal itself. This mismatch undermines informed review and consent, because operators may enable a journal skill without realizing it can write to configurable external locations and perform broader processing.

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
Routing payment screenshots and transaction-like data to a Ledger plugin expands the skill from journaling into financial-data processing. That is sensitive-domain creep: financial artifacts may be retained, parsed, or propagated to additional plugins without a clear need for the stated journaling function.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Updating timeline, growth-map, and profile files goes beyond generating a daily journal and creates durable behavioral and identity records. This expands the skill into longitudinal profiling without being clearly bounded by the original purpose, increasing privacy risk and the chance of unwanted inference persistence.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The cron payload explicitly tells the agent to execute all installed plugins during an unattended nightly run. That expands the skill from passive journaling into arbitrary plugin-driven behavior, which can inherit whatever capabilities other plugins expose, including network, filesystem, or data-modifying actions. In the context of a background job with full tool access, this materially increases attack surface and makes behavior hard to bound or audit.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documentation instructs recursive scanning across all known session directories, including agent and cron paths, rather than limiting access to the minimum data needed for journaling. This can pull in unrelated conversations, other agents' activity, and historical automation outputs, creating cross-context data exposure and potentially leaking sensitive content into journals or downstream memory.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The workflow adds media buffering, unresolved-reference detection, vision analysis, file relocation, and journal embedding, which materially expands the skill from passive text journaling into broad image processing and retention. In a journaling context that already scans all session paths, this increases collection and analysis of sensitive user data without clear scope limitation or explicit consent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Declaring support for Telegram, WhatsApp, Discord, and CLI creates a multi-channel ingestion surface that is broader than necessary for a passive journaling skill. That wider intake surface increases the chance of collecting unrelated or sensitive media from external channels and makes accidental overreach more likely.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file defines behavior that goes beyond passive journaling and summarization by actively steering users toward other skills based on inferred personal patterns. In a skill that already scans conversations across all session paths, this expands scope into behavioral profiling and cross-skill influence without clear user opt-in, increasing privacy and autonomy risks.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Checking `skill-inventory.json`, `user-preferences.md`, and recommendation history introduces additional cross-file and cross-skill data access not necessary for basic journaling. This broadens the skill's data reach and can expose or infer sensitive information about installed tools, preferences, and prior behavior beyond the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The fallback logic invokes shell commands with values derived from configuration-controlled paths and generated content. Although the code adds some quoting, using execSync with interpolated strings is still dangerous because shell metacharacters, embedded newlines, and platform-specific parsing can lead to command injection or unintended file writes if an attacker can influence journalPath or content.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill is designed to passively scan conversations across main, agent, and cron paths and then write multiple outputs, yet it does not present a clear user-facing warning about the breadth of collection or the resulting file modifications. This is dangerous because it can silently consolidate sensitive, cross-context conversation data into new persistent artifacts without contemporaneous consent.

Missing User Warnings

High
Confidence
93% confidence
Finding
The workflow instructs the agent to extract image paths from logs and copy media into assets directories, duplicating user files without warning. Duplicating private images increases retention, broadens access surfaces, and can preserve media the user did not intend to re-store in a journal repository.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Automatic updates to timeline, growth-map, and profile create long-lived records of inferred behavior and identity traits without a strong warning about persistence. This is risky because users may expect a transient summary but instead receive durable profiling artifacts that are harder to notice, review, or remove.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest grants broad access to sensitive sources across multiple session namespaces and also allows cron registration and plugin execution, but it does not define clear invocation constraints, minimization rules, or user-consent boundaries. In a journaling skill, this creates a realistic risk of over-collection, unintended surveillance across unrelated conversations, and expansion from passive summarization into active code or plugin-driven behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly accesses session logs, agent logs, cron run logs, and memory files, while also declaring plugin execution capability, yet the manifest does not present an explicit warning or consent flow for privacy-sensitive collection and system-impacting actions. Because the skill is described as passively scanning ALL session paths via cron, the context makes this more dangerous: users may not expect continuous background analysis of highly sensitive conversation history or side effects from plugin execution.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The template explicitly stores inferred personality traits, communication style, interests, rhythms, and growth themes derived from conversations, but it provides no warning that these are AI-generated inferences that may be sensitive, persistent, and potentially inaccurate. In the context of a journaling skill that scans conversations across all session paths, this increases privacy risk because users may not realize intimate behavioral profiling is being created and retained.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The 'AI Observations' section is designated as maintained by the system but does not warn that it may contain inferred personal data or behavioral analysis. Given this skill's purpose of passively scanning conversations from main, agents, and cron paths, the omission can cause users to unknowingly accumulate sensitive profiling data that could expose private traits, habits, or assumptions if accessed or misused.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Automated recursive scanning of memory and session logs is described without a prominent privacy notice, consent model, or explanation of what sources will be accessed. For a passive background skill, that omission is dangerous because users may not realize that private or unrelated session content is being continuously collected and processed.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
Defaulting verification logic to Asia/Shanghai can cause the job to evaluate the wrong day boundary for many users, leading to inaccurate collection and journaling of content outside the intended window. While not directly exploitable on its own, it can contribute to privacy and integrity issues by mis-scoping which messages are considered part of 'today'.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
The optional audit command hardcodes Asia/Shanghai, which can skew audit results and cause users to validate the wrong data window. In a journaling tool that aggregates sensitive session content, incorrect timezone assumptions can silently broaden or shift the scope of collected material.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions copy inbound user images into a permanent journal assets directory without warning the user that ephemeral chat media will become persistently stored. That can create unexpected long-term retention of private photos and increase exposure if the journal directory is synced, shared, or later accessed by other tools.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Preserving Exif metadata can retain precise GPS coordinates, timestamps, device identifiers, and other sensitive information that users may not realize is embedded in photos. In a journaling system, storing that metadata can reveal location history and behavioral patterns far beyond the visible image content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The protocol explicitly allows plugins to create standalone files outside the main journal, but it does not require any user consent, path restrictions, or user-facing disclosure. In the context of a journaling system that already aggregates sensitive conversation data from multiple session paths, this creates a real risk of silent data proliferation, tampering, or persistence in unexpected locations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The protocol documents plugin access to raw memory and user configuration, including personal journaling content and settings, without any privacy notice, minimization requirement, or permission model. Because PhoenixClaw is described as scanning conversations from all session paths, exposing these data objects to plugins substantially increases the blast radius for sensitive data leakage or misuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/rolling-journal.js:333