ClawHub
Back to skill

Security audit

时迹

Security checks across malware telemetry and agentic risk

Overview

This instruction-only TimeFriend skill is coherent for time tracking and task management, but it can write personal records to a TimeFriend account.

Install this only if you trust timefriend.xin and are comfortable giving OpenClaw a TimeFriend token. Use a revocable token if available, review parsed dates and times before relying on records, and be aware that broad phrases like “记一下” may need clarification to avoid storing the wrong kind of note.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase "帮我记一下" is overly broad for a skill that performs state-changing actions against a remote service. It can be matched during ordinary conversation or when the user intended a different kind of note-taking, causing unintended creation of time records in the user's account.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Using the vague phrase "记一下" as a diary trigger creates high ambiguity, especially because the skill also supports other write operations and this flow appends persistent content to a daily review. A casual user utterance containing reflective text could be silently stored as diary content without clear consent or correct classification.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Forcing all colloquial time expressions to Beijing time without user opt-in can cause incorrect timestamps to be written for users in other time zones. In a time-tracking skill, wrong time normalization directly affects records, summaries, and downstream planning, making this more than a harmless UX issue because it changes persisted user data.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.