Skillv1.1.9

ClawScan security

Claw-Diary · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 9, 2026, 5:41 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions match its stated purpose (guard + audit + diary sync) and request only an API key; there are no install steps or local code, but you should verify trust in the external ClawDiary service and the API key handling before enabling it.
Guidance: This skill is internally consistent: it asks only for a ClawDiary API key and instructs the agent to call the remote guard/audit/diary endpoints, with explicit redaction rules. Before installing: (1) Verify the ClawDiary service and operator (clawdiary.org, the GitHub repo) and review their privacy/security practices; (2) Store CLAWDIARY_API_KEY securely (least privilege) and rotate it if exposed; (3) Consider requiring manual/user-invocation or limiting autonomous invocation if you are uncomfortable with the agent calling an external service automatically; (4) Understand that the redaction regex/truncation rules are not infallible — sensitive data might still leak if inputs are atypical, so avoid sending raw files or secrets even if instructions say to redact; (5) If you can, self-host the service (repo link is provided) so you control logs and approvals. Overall the skill appears coherent, but trust in the external service and robust secret handling are the main residual risks.

Review Dimensions

Purpose & Capability: okName/description (guard, audit, diary sync) align with the declared runtime behavior: POST/GET calls to api.clawdiary.org and a single required env var CLAWDIARY_API_KEY. No unrelated binaries, config paths, or extra credentials are requested. Minor note: registry metadata lists "Primary credential: none" even though CLAWDIARY_API_KEY is required in the skill metadata—this is an administrative inconsistency but not a functional mismatch.
Instruction Scope: noteThe SKILL.md and instructions.txt explicitly tell the agent to call guard endpoints before high-risk actions, call audit endpoints after actions, and sync diaries. They also specify strict truncation and regex redaction rules and prohibit sending files or raw outputs. This scope is coherent with the stated purpose, but it requires trust in the remote service and correct implementation of the redaction/truncation rules (which can be brittle and may not guarantee complete secret removal).
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk or fetched at install time, which minimizes install-time risk.
Credentials: okOnly one environment variable (CLAWDIARY_API_KEY) is required, which is proportional for an API-based gating/audit service. No unrelated credentials or system config paths are requested.
Persistence & Privilege: notealways:false (normal) and model invocation is enabled (default). That means the agent can call the external service autonomously; this is expected for a guard/audit skill but increases the importance of trusting the remote endpoint and protecting the API key. There is no request to modify other skills or system-wide config.