ClawHub

OpenClaw Diary Insights

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local diary-insights tool, but it handles sensitive journal content and users should understand the local outputs and CDN-loaded visualization before installing.

Install only if you are comfortable with an agent reading your diary folder, optional identity file, and saving derived personal summaries under ~/write_me/02notes/insights/. Treat the generated HTML, data.js, and JSON as sensitive. For stronger privacy, review the configured storage.path before running and avoid opening the generated page online unless you accept third-party CDN script/font loading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The manifest claims the skill reads from a specific journal directory, but the instructions actually dereference an external config file and then read whatever path is stored in storage.path. This expands the data-access scope beyond what the user is told, creating a privacy and trust issue because the skill could read from an unexpected local directory if the config is changed or poisoned.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This page is intended to be a local journal-insights visualization, but it fetches executable JavaScript from jsDelivr and font resources from Google Fonts at runtime. That creates unnecessary outbound network access, leaks usage metadata, and introduces supply-chain risk because a compromised CDN or blocked network can alter behavior or break the page despite the skill's local-analysis purpose.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README documents automatic access to private journal files, creation of derived artifacts, and opening a browser page, but it does not clearly warn users that sensitive diary content will be read, transformed, and persisted into additional files. For a journaling skill, this increases privacy risk because highly personal data may be copied into less protected locations or exposed on screen without an explicit informed-consent step.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrase '生成洞察' is broad enough to match ordinary conversation, which can cause the skill to activate unexpectedly and process private diary content without sufficiently explicit user intent. In a diary-analysis skill, unintended invocation is more sensitive because it may read personal entries and write derived files automatically.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The proactive suggestion rule is vague and may prompt unsolicited activation around journaling habits or month-end timing. In this context, even a suggestion can pressure or surprise users about analysis of sensitive personal content, especially if the assistant appears to monitor diary frequency or local files without a fresh request.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The description does not prominently warn that the skill reads personal diary entries and writes derived local artifacts such as HTML and JSON files. For a skill handling intimate personal data, lack of upfront disclosure undermines informed consent and increases the risk of surprising users with local persistence of sensitive summaries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal