ClawHub

Openclaw Diary Setup

Security checks across malware telemetry and agentic risk

Overview

This diary setup skill is not overtly malicious, but it asks for broad account access, installs tools, and stores sensitive personal data and credentials in ways users should review carefully.

Install only if you are comfortable with a diary setup skill that can install tools, create local files, ask for service credentials, and import personal/workspace data. Prefer local-only setup, avoid pasting long-lived secrets into chat, do not use all-source imports, inspect any generated config and shell-profile changes, and use a dedicated secret manager or narrowly scoped tokens for any cloud sync.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (24)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The design explicitly appends secrets such as FEISHU_APP_ID and FEISHU_APP_SECRET to the user's shell rc file and sources it. Persisting credentials in shell startup files is risky because those files are broadly accessible to local processes, easy to leak via backups or dotfile sync, and can affect every future shell session beyond the onboarding task's scope. In a journal setup wizard, this exceeds the minimally necessary action and creates durable credential exposure.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
The design grants Bash-based filesystem and environment manipulation for a skill described as pure-text onboarding. While mkdir for app directories may be legitimate, bundling broad shell capability and environment setup increases the blast radius if the flow is misused, misinterpreted, or later expanded, especially when combined with writing user identity and config data. The mismatch between declared scope and implementation makes the skill more dangerous than users would reasonably expect.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The skill goes beyond onboarding guidance and instructs the agent to install a global CLI and additional skills via shell commands. That creates an unnecessary software supply-chain and code-execution risk during a setup flow, especially because the packages are fetched and executed from external sources without strong validation or sandboxing.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill advertises itself as a pure-text onboarding guide, but it actually directs the agent to create directories and write configuration and profile files on disk. This mismatch can mislead users and reviewers about the degree of local system modification and persistent state the skill performs.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill reassures the user that secrets stay local and are not uploaded, but then instructs storing API credentials directly in the generated configuration file. Persisting secrets in plaintext configuration increases the risk of credential exposure through backups, logs, file sync, accidental sharing, or other local compromise.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The onboarding skill is described as a setup wizard, but this document defines broader behavior to ingest digital life data from many sources and build a user profile. That scope expansion is security-relevant because users may grant access or trigger collection they did not reasonably expect from onboarding, increasing the risk of overcollection and deceptive consent.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The README introduces command-based import operations that are not part of the stated onboarding behavior, creating hidden or undocumented capabilities adjacent to the setup flow. In an agent skill context, undocumented commands can enable unexpected data ingestion and reduce meaningful user awareness of what actions the skill may perform.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The onboarding skill is scoped as a diary initialization wizard, but this guide expands into broad installation and configuration of third-party import connectors across many external services. That scope expansion can cause users to grant excessive access and introduce unnecessary data ingestion paths during setup, increasing attack surface and privacy risk beyond what users would reasonably expect from onboarding.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documented detection logic scans local filesystem locations and MCP configuration to enumerate available data sources automatically. In the context of onboarding, this is over-collection behavior because it discovers unrelated personal data repositories and connected services before the user has given specific, informed consent for each source.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The statement that sensitive data remains local and is not uploaded to the cloud is misleading given the documented use of cloud-backed platforms and network-dependent MCP integrations. Users may rely on that assurance when deciding to connect accounts, so the mismatch creates consent and privacy risks through inaccurate security claims.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The document claims to import identity/profile documents, but the implementation example instead searches for diary documents, filters on titles containing '日记', and writes their contents into local files. This mismatch can cause the skill to ingest and persist highly sensitive diary entries when the user expects only profile extraction, creating a significant privacy and data-handling risk.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The pseudocode docstring says '从飞书导入日记', directly contradicting the surrounding guidance that this importer handles user identity/profile content. Such contradictions increase the chance that developers implement diary ingestion paths or operators run the wrong workflow, leading to accidental collection of more sensitive data than intended.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The implicit triggers include generic conversational phrases like '今天发生了', '刚才', and '我在想', which are common in ordinary chat. This can cause the journaling/onboarding behavior to activate unintentionally, leading to unintended collection, storage, or processing of personal content and potentially triggering writes or authorization prompts without clear user intent. Because the skill handles sensitive diary and identity data, overbroad triggers are more dangerous in this context.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation proposes persisting credentials in shell rc files but does not clearly warn users that this creates long-lived secrets in startup files and changes future shell environments. Users may believe they are only configuring a journal tool, not altering global shell behavior or leaving plaintext credentials on disk. The absence of explicit security disclosure materially increases the risk of credential compromise and uninformed consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill omits a clear warning that it will create directories and write configuration and identity files containing potentially sensitive personal data. In a diary setup context, those files may include user profile details, preferences, social accounts, and storage settings, so silent local persistence can surprise users and increase privacy exposure. The danger is amplified because onboarding may be triggered proactively for first-time users.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill initiates software installation through shell commands without an explicit user approval checkpoint immediately before execution. In a conversational agent context, silently installing tools and dependencies materially increases the risk of unintended code execution and violates least surprise.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill asks users to paste highly sensitive App Secrets, integration tokens, and API tokens directly into chat. Chat channels may be logged, retained, accessible to operators, or exposed through conversation history, making this an unsafe collection channel for long-lived credentials.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document discusses importing digital life data and building a complete user profile without warning about privacy implications, retention, or the sensitivity of the resulting dataset. Because profile-building aggregates multiple sources, the combined data can become far more sensitive than any single source and materially increase harm from misuse or compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README enumerates OAuth, bot tokens, API keys, and app secrets for multiple platforms but gives no warning about secret handling, least privilege, or account access risks. This is dangerous because users or developers may store credentials insecurely, overscope permissions, or misunderstand that granting access can expose large volumes of personal and organizational data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The storage section states that identity, auth, imports, and memory data are written under a local path but does not warn that raw imported data and authorization configuration will persist on disk. Persisting both source data and auth material without clear notice increases the risk of local compromise, accidental backup/sync leakage, and long-term retention of highly sensitive information.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The guide shows imported data and auth artifacts being written to local directories, including an auth folder, but does not clearly warn that tokens or sensitive account-derived data may be stored on disk. This can lead users to expose credentials or personal data through weak local permissions, backups, sync tools, or shared machines.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions describe reading Feishu documents and writing both structured identity data and raw source text to a local persistent file, but they do not clearly warn the user that personal content will be copied out of Feishu and stored locally. This undermines informed consent and can expose sensitive personal information to broader retention, backup, or local access risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill requires users to provide Feishu App ID and App Secret and references environment variable configuration, but it does not warn that these are sensitive credentials or provide safe handling guidance. This can lead users to paste secrets into chats, logs, or prompts, where they may be exposed or retained insecurely.

Ssd 3

Medium
Confidence
97% confidence
Finding
The instructions direct the system to retain the full raw imported document inside the generated identity file, even though only extracted profile attributes are needed for the stated purpose. This violates data minimization principles and expands the blast radius if local files are accessed, synced, backed up, or leaked.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal