Dev Chronicle

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for developer recaps, but it can automatically read and dump sensitive local memory and agent-session data with limited confirmation or filtering.

Install only if you are comfortable with the skill reading local git history plus OpenClaw/Claude memory and session data. Before using it, edit config.json to narrow projectDirs and set memoryDir or sessionsDir to null or explicit safe folders you have reviewed, and treat generated chronicles as private until you check them for secrets or unrelated personal context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill instructs the agent to read multiple local files and directories, including config, voice profile, gathered output, memory files, and session transcripts, but the manifest does not declare permissions or warn users accordingly. This creates a transparency and least-privilege problem: the skill can access sensitive local development history and personal context without explicit permission signaling.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script automatically probes common AI assistant memory and session directories in the user's home folder when no explicit paths are configured. That broadens data access beyond user-specified sources and can silently collect private agent artifacts unrelated to the requested chronicle, increasing the risk of unintended disclosure.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The usage examples include broad phrases like "Standup notes" and "recap," which are common in normal conversation and can cause the skill to trigger when the user did not explicitly request this capability. Because this skill accesses git history, memory, and session transcripts, accidental invocation could expose sensitive work history or private context in an unintended summary.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases are broad enough to match ordinary conversation such as 'recap', 'standup', or 'what did I do today/this week', which can cause the skill to activate unexpectedly. Because this skill then scans local repositories and private session/memory data, accidental invocation materially increases the chance of unintended data access.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The manifest description does not clearly disclose that the skill may scan local git repositories, memory files, and session transcripts. Since those sources can contain source code, secrets, internal discussions, and personal data, the lack of up-front warning undermines informed consent and raises the risk of privacy-sensitive collection.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: This code reads entire daily memory files and emits their full contents directly to standard output. Memory files may contain sensitive prompts, summaries, secrets, personal notes, or other confidential workspace data, so unrestricted dumping creates a direct data-exposure path.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script inspects local agent session files and reports metadata without clearly disclosing that session records will be accessed. Even metadata such as session IDs, dates, and activity volume can reveal private usage patterns and may surprise users who only expected git-based work summaries.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill's purpose is to generate developer chronicles, but this implementation prints full AI memory documents verbatim rather than extracting only relevant work-summary information. In this context, the broad plaintext exposure is more dangerous because the feature is framed as a productivity recap while actually exfiltrating potentially sensitive local memory content into downstream outputs.

Session Persistence

Medium

Category: Rogue Agent
Content: ## Setup On first use, check for `{baseDir}/config.json`. If it doesn't exist, create it by asking the user: ```json {
Confidence: 86% confidence
Finding: create it by asking the user: ```json { "projectDirs": ["~/Projects"], "projectDepth": 3, "memoryDir": null, "sessionsDir": null } ``` - `projectDirs`: directories to scan for git repos (arr

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal