ClawHub

Daily Recorder Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local daily journaling/reminder skill with sensitive but purpose-aligned note storage and optional scheduled prompts.

Install only if you want a local assistant that writes daily personal records under ~/.openclaw/workspace and may add OpenClaw scheduled reminders when setup_cron.py is run. Confirm the target channel/user and timezone before enabling cron, and avoid recording sensitive information unless you are comfortable with it being stored locally in plain text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares capabilities to read/write files, access environment-derived paths, and run shell commands, but does not declare permissions or present clear guardrails. That creates an avoidable trust gap: a journaling assistant can persist data and invoke external commands, which increases the chance of unauthorized data access or unintended system changes if the skill is installed or extended.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior exceeds the declared purpose by configuring cron jobs, sending scheduled proactive messages, supporting extra write modes, and handling more channels than the metadata discloses. This mismatch is dangerous because reviewers and users may approve a seemingly simple journaling skill without realizing it can create persistent tasks and operate more broadly than advertised.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
A daily recorder skill that also installs persistent scheduled tasks changes the security posture from passive note-taking to an agent that can act later without an immediate user prompt. Persistent automation increases the risk of surprise messages, abuse of the execution context, and long-lived misconfiguration if the task creation behavior is not prominently disclosed and consented to.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill relies on an external CLI and gateway management commands for cron setup, which expands the attack surface beyond normal journaling. Invoking external tooling via subprocess can introduce command-execution, environment, and privilege-boundary risks, especially when the need for such tooling is not justified by the stated purpose.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states that user replies are automatically parsed and recorded into notes and state files, but it does not provide a clear privacy notice, retention policy, or consent flow. Because the captured content includes mood, energy, and work details, silent persistence can expose sensitive personal data and create compliance or confidentiality issues.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The documented default cron schedule is bound to Asia/Shanghai without any visible user choice or locale negotiation. While not severe on its own, forcing a timezone can cause reminders to fire at unintended times, leak activity patterns, and create confusing or privacy-impacting notifications for users in other regions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
In `record_feedback` mode, the script can immediately write parsed or auto-extracted user content into notes via `record_main(...)` without a clear confirmation step immediately before mutation. Because it also auto-infers morning/evening mode from time and falls back to heuristic extraction from arbitrary text, ordinary conversation or ambiguous input could be turned into persistent records unexpectedly, causing integrity issues and accidental storage of sensitive content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal