Skillv0.1.2

ClawScan security

Mini Diary · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 6:21 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and scripts largely match a minimal diary purpose, but a pre-scan flagged hidden unicode control characters in SKILL.md (possible prompt-injection), and there are several small mismatches and NextCloud instructions that require privileged operations — review before installing.
Guidance: What to do before installing: 1) Inspect SKILL.md raw content for hidden unicode control characters (use a hex/UTF-8 viewer or `cat -v`, `xxd`) and remove/ask author for a clean copy if any are present. The scanner found 'unicode-control-chars' which could be an obfuscation attempt or a false positive from emojis. 2) Verify source: the package.json/SKILL.md reference a GitHub repo but registry source shows unknown. Confirm the upstream repository and review recent commits or open issues; prefer installing from a verified upstream. 3) Test in a sandbox: run the scripts locally on a throwaway diary file in a non-privileged environment (e.g., set DIARY_FILE to a test file in a temp dir) and run test_security.sh to exercise safety checks. 4) Be careful with NextCloud instructions: they include chown and docker exec commands that require elevated privileges. Only set NEXTCLOUD_SYNC_DIR to a directory you control and avoid running recommended chown/docker commands unless you understand and accept the privilege implications. 5) Review install.sh behavior: it copies the repository into the agent skills directory. Confirm OPENCLAW_HOME is correct and verify the copied files and file ownership after installation. The installer only sets executable bits for files owned by the user, which is safer than unconditional chmod. 6) If you plan to allow autonomous agent invocation, note that the skill can be invoked by the agent to read/write diary files in your home directory (as designed). Ensure you are comfortable with that access and the default DIARY_FILE location. If any of the above checks fail or you find hidden control characters, treat the package as untrusted and do not install until the author provides a clean, verifiable source and explanation.
Findings: [unicode-control-chars] unexpected: The SKILL.md was flagged for hidden unicode control characters. This is not expected for a diary README and can be used for prompt-injection or obfuscation. The rest of the code appears to use emojis and UTF-8 symbols (which are benign), but you should inspect the raw SKILL.md for control characters (e.g., U+202A..U+202E, U+200F, etc.) before trusting the file.

Review Dimensions

Purpose & Capability: okName/description match the provided scripts: add/search/install scripts, templates, examples, and docs implement a Markdown diary with auto-tagging and optional NextCloud sync. The presence of DIARY_FILE, NEXTCLOUD_SYNC_DIR, TAGS_CONFIG and related logic is appropriate for the stated features. One minor mismatch: registry metadata lists "Source: unknown" while package.json/SKILL.md point to a GitHub repo (verify upstream origin).
Instruction Scope: noteSKILL.md and the scripts are narrowly scoped to diary operations (adding notes, searching, optional copying to NextCloud). However, SKILL.md/doc text includes instructions that require elevated/system operations for NextCloud (chown, docker exec php occ) — these are user-facing instructions, but they involve privileged actions outside the diary scope and should be executed only by the user when they understand the consequences. The static scanner also flagged unicode-control-chars inside SKILL.md (possible hidden characters/prompt-injection); the rest of the scripts do not perform network calls or external data exfiltration.
Install Mechanism: okThere is no registry install spec; installation is via included install.sh or ClawHub. install.sh copies local files into the agent skills directory and makes scripts executable only if owned by the user. No remote downloads or URL-based installs are used. The installer requires OPENCLAW_HOME (and exits if not present) — sensible for an OpenClaw skill.
Credentials: noteNo required credentials are requested. The scripts reference optional environment variables (DIARY_FILE, NEXTCLOUD_SYNC_DIR, TAGS_CONFIG, MINI_DIARY_DEBUG) that are proportional to functionality. Caveat: enabling NextCloud sync will cause the script to write/copy files into the chosen directory and SKILL.md/docs advise running chown/docker commands (which require elevated privileges). Ensure you only point NEXTCLOUD_SYNC_DIR at a location you control and understand owner/permission changes.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills' configurations. install.sh copies files into the skill's own install directory. Agent autonomous invocation is enabled by default (normal for skills) but there is no evidence the skill demands global persistent privileges or alters unrelated agent settings.