Is 0xbeekeeper/claw-diary safe?

https://github.com/openclaw/skills/tree/main/skills/0xbeekeeper/claw-diary

78
CAUTION

claw-diary is a well-structured activity diary skill with proper data scoping and explicit security notes, but its reliance on a globally-installed npm binary (claw-diary) introduces an unverifiable code execution trust boundary. The persona.md read/write feedback loop creates a persistent prompt injection surface where poisoned event data could propagate across sessions. Clone behavior and canary integrity are clean.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (8)

HIGH Global npm package install with unverifiable code -30

The skill requires 'npm install -g claw-diary' which installs a globally-accessible binary from npm. npm packages can execute arbitrary code via lifecycle scripts (preinstall, postinstall) during installation, and the installed binary runs with full user privileges. The package contents cannot be audited from the skill repository alone.

MEDIUM Persistent injection via persona.md feedback loop -15

The /diary:thoughts command reads persona.md, generates a journal entry based on untrusted event files, then appends new 'observations' back to persona.md. This creates a persistent feedback loop where poisoned event data can propagate into persona.md, which is then read in all future /diary:thoughts invocations. A sophisticated attacker could craft event file content that causes the agent to write injection payloads into the Observations section.

MEDIUM All functionality delegated to external binary -15

Every slash command (/diary, /diary:replay, /diary:stats, /diary:search, etc.) executes the claw-diary CLI binary. This means all skill functionality runs as arbitrary native code outside the agent's sandboxing. The binary could perform any action the user can perform.

MEDIUM Untrusted event files read as LLM context -10

The /diary:thoughts command reads ~/.claw-diary/events/YYYY-MM-DD.jsonl files as context for journal generation. These files could be written or modified by any process with filesystem access, making them an injection vector. While a security note warns against following embedded instructions, this defense depends on LLM compliance.

LOW Local server started by /diary:replay -5

The /diary:replay command starts a local HTTP server to serve an interactive timeline. This could expose agent activity data (sessions, tool calls, costs) to any process or user on the local network, depending on the server's bind address.

LOW npm binary network behavior unverifiable -10

While SKILL.md declares 'no external network requests', this only applies to the skill's instructions to the agent. The claw-diary binary itself could make arbitrary network requests (telemetry, data exfiltration) that would not be visible in the SKILL.md audit.

INFO Activity data is high-value reconnaissance target -10

The ~/.claw-diary/ directory contains a complete record of all agent activity including sessions, tool calls, token usage, and costs. If the claw-diary binary or a companion skill exfiltrated this data, it would provide detailed intelligence about user workflows, accessed files, and potentially secrets the agent has handled.

INFO Good security practices present 0

The skill includes an explicit security note about treating file content as untrusted, avoids string interpolation in search queries, and properly scopes data access. These mitigations reduce (but do not eliminate) injection risks.