Security audit

Diary Force

Security checks across malware telemetry and agentic risk

Overview

This diary skill is mostly transparent about saving, analyzing, and archiving journals, but it can automatically push very personal diary and memory files through Git with weak scoping and consent controls.

Review before installing. Use this only with a private, intended Git repository and after changing or verifying the hard-coded diary and memory paths. Disable cron and remove or gate the Git push behavior if you do not want diary entries, Obsidian vault changes, or AI-generated analysis committed and uploaded automatically. Avoid highly sensitive personal, medical, financial, or work content unless you have verified the OpenCode/model privacy behavior and repository visibility.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (29)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: # Git push os.chdir(MEMORY_PATH.parent) os.system('git add . && git commit -m "memory: sync {}" && git push'.format(date)) return f""" ✅ **日记已完成！**
Confidence: 97% confidence
Finding: os.system('git add . && git commit -m "memory: sync {}" && git push'.format(date))

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: # Git push os.chdir(MEMORY_PATH.parent) os.system(f'git add . && git commit -m "memory: sync {date}" && git push') msg = f""" ✅日记已完成！
Confidence: 99% confidence
Finding: os.system(f'git add . && git commit -m "memory: sync {date}" && git push')

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: def git_push(date: str): """Git push""" os.chdir(MEMORY_PATH.parent) os.system('git add . && git commit -m "memory: sync {}" && git push'.format(date)) def run_analysis(user_input: str):
Confidence: 96% confidence
Finding: os.system('git add . && git commit -m "memory: sync {}" && git push'.format(date))

subprocess module call

Medium

Category: Dangerous Code Execution
Content: prompt = THINKING_PROMPT.format(user_input=user_input) try: result = subprocess.run( ["opencode", "run", "--model", "opencode/minimax-m2.5-free", prompt], input="", capture_output=True,
Confidence: 83% confidence
Finding: result = subprocess.run( ["opencode", "run", "--model", "opencode/minimax-m2.5-free", prompt], input="", capture_output=True, text=True,

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill clearly performs file reads/writes and shell-like operations via Python, Git, and OpenCode CLI, yet does not declare permissions. This deprives users and the platform of an explicit trust boundary and makes sensitive diary persistence and command execution less auditable. In a journaling skill handling personal reflections, undeclared capabilities materially increase risk.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The stated purpose emphasizes diary prompting and analysis, but the documented behavior also includes local persistence, long-term memory extraction, Git commit/push to remote storage, external model invocation, and additional manual/interactive flows. This mismatch is security-relevant because users may consent to a reminder tool without realizing it exports, archives, and operationalizes sensitive diary content beyond the described scope.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill is presented as a diary reminder and analysis assistant, but it also synchronizes captured diary content to a Git repository. This is a capability expansion beyond the stated purpose and materially increases privacy and exfiltration risk, especially because users may disclose intimate personal information under the assumption of local journaling only.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: Executing shell commands for git operations is not necessary for a diary-coaching tool and introduces a powerful system-execution primitive. In the context of a skill that processes free-form user input and stores sensitive reflections, this unjustified capability broadens the attack surface and makes accidental or malicious command execution far more damaging.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The code writes diary data to a second path in an Obsidian memory vault unrelated to the stated diary prompting scope. Duplicating sensitive personal content into an additional knowledge store increases persistence and exposure risk, particularly when users are not clearly informed that their diary will be replicated outside the primary diary folder.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The advertised purpose is diary prompting and analysis, but the implementation also commits and pushes diary/memory content to Git, which materially expands the data exposure surface beyond user expectations. In a journaling skill, covert or undisclosed repository sync is especially dangerous because users are likely to enter intimate, identifying, or regulated personal data.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Executing shell/Git commands is not necessary for the core task of thought-model analysis and diary writing, so it introduces an unjustified high-risk capability. In this skill context, that capability can transmit or persist sensitive diary data outside the local environment without meaningful user awareness.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README advertises automatic diary prompting, memory internalization, and Git archiving, but does not disclose what sensitive journal content may be collected, stored, transformed, or committed. For a diary skill, this is security-relevant because users may expose highly personal data without understanding retention, version history, or downstream processing risks.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documented cron configuration causes the skill to run automatically at 23:00 against journal workflows, but the README does not warn that sensitive personal data may be accessed or processed without a fresh user confirmation at execution time. Automatic background handling increases the chance of unintended prompts, data capture, or processing in shared or poorly secured environments.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger conditions include broad natural-language phrases such as mentioning diaries, thinking models, or not having written yet, which could activate the skill during ordinary conversation. In a tool that stores and analyzes intimate personal data, accidental invocation can cause unexpected collection, persistence, and follow-on external processing.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: Subjective activation criteria such as low energy, emotional fluctuation, or needing reflection are ambiguous and can be inferred too broadly by an agent. That raises the chance the skill will engage in sensitive contexts where the user did not intend structured journaling, persistence, or analysis.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill does not clearly warn users that diary and derived memory content will be committed and pushed with Git, potentially to a remote repository. This materially expands exposure from local note-taking to durable versioned storage and possible remote replication, making accidental disclosure far more severe.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill does not clearly warn users that diary and derived memory content will be committed and pushed with Git, potentially to a remote repository. This materially expands exposure from local note-taking to durable versioned storage and possible remote replication, making accidental disclosure far more severe.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The eval prompts are broad natural-language triggers such as checking whether a diary exists, helping write a diary, and internalizing diary content into memory. Without tighter activation boundaries, the skill could be invoked unintentionally in unrelated conversations and then access local files or perform follow-on actions the user did not explicitly request in that context. The '强制型' framing increases concern because it normalizes assertive behavior rather than consent-driven execution.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The eval explicitly expects writing derived memory entries into the memory/ directory and creating a Git commit, but it provides no warning, disclosure, or confirmation step. This can cause unintended persistence of sensitive personal reflections, broaden data exposure through version history, and surprise the user with repository modifications that may later be synced or shared.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill writes diary content to disk and then pushes it via git without upfront warning, meaningful consent, or a review step. Because diaries commonly contain sensitive personal, emotional, and relational information, silent persistence and remote sync materially increase confidentiality risk and violate reasonable user expectations for a journaling assistant.

Missing User Warnings

High

Confidence: 99% confidence
Finding: This alternate finalize flow also persists diary content and triggers git push without prior disclosure or confirmation, while additionally accepting a user-provided date that is later embedded in a shell command. The combination of silent data export and command injection potential makes this path especially dangerous in a tool intended to collect personal reflections.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill forwards user diary content to an external model process without any visible privacy notice, which is a meaningful data disclosure issue for sensitive personal writing. The journaling context makes this more dangerous because users reasonably expect intimate reflections to remain local unless clearly told otherwise.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code writes AI-generated analysis directly into diary and memory files and mirrors content into a second location without explicit confirmation, which can alter personal records unexpectedly. This is risky because model output may be incorrect, manipulative, or contain sensitive inferences, and the memory file update may overwrite prior content.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Automatically running git add/commit/push after file updates sends modified content toward remote storage without an explicit warning or consent step. In a diary application, that creates a serious confidentiality risk because extremely personal content may be published or synced to infrastructure the user did not intend to use for journals.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The workflow explicitly internalizes user diary content and insights into persistent memory and Git archives, increasing retention and dissemination of sensitive free-form text. Natural-language journals often contain secrets, health details, relationship issues, and work information, so long-term storage and replication elevate both privacy harm and breach impact.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.