Openclaw Diary Setup
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-diary-setup Version: 1.0.3 The skill bundle 'openclaw-diary-setup' (v1.0.3) functions as an onboarding wizard that performs several high-risk operations. According to SKILL.md, the agent is instructed to collect sensitive API credentials (App Secrets and Tokens for Feishu, Notion, and Flomo), modify the user's shell configuration files (~/.bashrc or ~/.zshrc) to persist environment variables, and execute global system commands (npm install -g clawhub). While these actions are aligned with the stated purpose of setting up a synchronized diary system, the automated handling of raw secrets and modification of system startup scripts by an AI agent constitutes a significant attack surface. No evidence of intentional data exfiltration or malicious backdoors was identified.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running setup could modify the user's local agent and Node environment by installing remote packages or skills the user has not separately reviewed.
The instruction-only skill can install a global npm package and additional OpenClaw skills at runtime, with no pinned versions or reviewed install spec shown.
if ! command -v clawhub ... npm install -g clawhub ... clawhub install openclaw-diary-core ... clawhub install openclaw-diary-insights
Require explicit confirmation before installation, declare these dependencies in metadata/install specs, pin versions or trusted sources, and offer manual install instructions.
Service credentials could remain available in future shells and be inherited by unrelated local processes.
The setup design instructs Bash edits to persistent shell startup files and reloads them, including secret values, without showing rollback or safer credential storage.
echo 'export FEISHU_APP_ID="xxx"' >> "$RC_FILE" echo 'export FEISHU_APP_SECRET="xxx"' >> "$RC_FILE" source "$RC_FILE"
Use a scoped credential store or OpenClaw secret mechanism, avoid appending secrets to shell profiles by default, and ask the user before persistent environment changes.
Granting these credentials could expose email, cloud documents, workspace messages, repositories, and social accounts to the diary/import pipeline.
The importer guide requests access credentials for many personal and workplace services, but the artifacts do not define least-privilege scopes or clear limits for each account.
| Gmail | google-workspace-mcp | OAuth | | Google Docs | google-workspace-mcp | OAuth | | Google Drive | google-workspace-mcp | OAuth | | Slack | slack-mcp | Bot Token | | GitHub | 原生支持 | Token | | X/Twitter | twitter-mcp | API Key |
Request only the single provider the user selects, document exact scopes and data read/write permissions, and prefer read-only or least-privilege tokens.
Private content from previous agent projects or connected services could become persistent context for future diary interactions.
The artifacts describe broad import of local/private digital-life data and existing agent memory into persistent AI memory, without clear exclusions, retention, or reuse boundaries.
自动接入用户的数字生活数据源 - 统一导入为 AI Memory ... OpenClaw Memory | 本地读取 | 无需 MCP,直接读取 `~/.claude/projects/*/memory/`
Use explicit source-by-source consent, path allowlists, sensitive-data exclusions, retention controls, and a way to inspect/delete imported memory.