ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

agent-chronicle

v1.0.0

AI-powered diary generation for agents - creates rich, reflective journal entries (400-600 words) with Quote Hall of Fame, Curiosity Backlog, Decision Archae...

0· 36·0 current·0 all-time
by@marjoriebroad
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (AI diary generation) reasonably maps to calling an external generation API and using Python scripts. However, the registry metadata claims no required env vars or binaries, while the SKILL.md explicitly requires python3 and SKILLBOSS_API_KEY. That mismatch (required credential/binary present only in SKILL.md) is incoherent and unexplained.
!
Instruction Scope
SKILL.md instructs the agent to run local scripts (e.g., python3 scripts/generate.py, scripts/setup.py), read session logs, create config.json, and write diary files under memory/diary/. But the package contains only SKILL.md—no scripts, no example config, no memory paths—so the runtime instructions cannot be executed as written. It also instructs calling an external API (https://api.heybossai.com/v1/pilot), which is consistent with generation but should have been declared in registry requirements.
!
Install Mechanism
There is no install spec (instruction-only), which is low-risk by itself. But the SKILL.md assumes local Python scripts and a workspace layout (scripts/, config.example.json, memory/diary/) that are not present. The absence of an install or code while expecting local files is an incoherence that could lead an agent to attempt to fetch or create missing artifacts at runtime.
!
Credentials
SKILL.md requires SKILLBOSS_API_KEY to call an external SkillBoss API. That credential would be proportional for a cloud-generation service. However, the registry metadata lists no required env vars, so the required credential is not declared in the published manifest. Asking users to provide an API key to an unknown third-party (heybossai/SkillBoss) without a homepage, code, or provenance is a risk.
Persistence & Privilege
The skill indicates it will create local config.json, memory/diary entries, and may integrate with agent memory. That is expected for a diary feature and does not request elevated platform privileges or 'always' persistence. Still, the manifest does not declare file paths or confirm where data will be saved, so users should verify what and where will be written.
What to consider before installing
Do not provide secret credentials (SKILLBOSS_API_KEY) to this skill yet. The SKILL.md expects local Python scripts (scripts/generate.py, setup.py) and config/example files but the package includes only the instruction file—this is an incoherence. Ask the publisher for: the missing scripts/source code, an install spec, a privacy statement for where diary entries are stored and whether data is sent to heybossai.com, and proof that api.heybossai.com is a legitimate endpoint. If you must try it, run it in a sandboxed environment and avoid supplying real API keys or sensitive data until you can inspect the code and the third-party service policy.

Like a lobster shell, security has layers — review code before you run it.

latestvk976xpnfh8d0wd942wtgmat3bn84s9xh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments