← Back to Skills Marketplace

diff4

Name: diff4
Author: djyde

by Randy · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install diff4

Description

Preview git diffs and files using the diff4 CLI. Use when the user wants to see code changes, review files content securely via diff4

README (SKILL.md)

diff4 - Encrypted Diff & File Sharing

diff4 encrypts diffs and files client-side (AES-256-GCM) before uploading. The server never sees plaintext. Recipients need the passphrase to decrypt.

Prerequisites

diff4 must be installed and available on PATH. Use npm i -g @diff4/cli to install.
A passphrase must be configured (see setup below)

Commands

Share the latest commit diff

diff4 git-latest

Runs git diff HEAD~1, encrypts the result, and uploads. Use when the user says "preview my last commit" or "send the latest diff."

Share staged changes

diff4 git-staged

Runs git diff --staged, encrypts, and uploads. Use when the user says "preview my staged changes" or "send what's about to be committed."

Share arbitrary files

diff4 files path/to/file1.ts path/to/file2.ts

Reads each file (UTF-8 text only), bundles them as JSON, encrypts, and uploads. Supports any number of paths (relative or absolute).

Key management

diff4 key-gen [key] - Generate or set the encryption passphrase
diff4 key-get - Print the current passphrase

Options

All upload commands (git-latest, git-staged, files) accept:

Flag	Description
`-s, --server \x3Curl>`	Override the diff4 server URL. Default: `https://diff4.com` (or `DIFF4_SERVER` env var)
`-p, --passphrase \x3Ckey>`	Override the passphrase for this command only. Default: `DIFF4_PASSPHRASE` env var

Gotchas

Empty diffs fail gracefully. git-latest and git-staged will error if there is nothing to share.
Binary files are not supported. diff4 files reads files as UTF-8 text.
Server is configurable. Self-hosted instances can be set via DIFF4_SERVER env var or -s flag.
The passphrase must be shared out-of-band. diff4 only encrypts — recipients need the same passphrase to decrypt.
key-gen updates existing keys. If DIFF4_PASSPHRASE already exists in the shell config, key-gen replaces it in-place.

Typical workflow

User asks to see a diff or files
Verify setup: run diff4 key-get (if it fails, run diff4 key-gen and tell user to source their rc file)
Run the appropriate command (git-latest, git-staged, or files \x3Cpaths>)
Return the URL from the response to the user
Remind the user that recipients need the passphrase to decrypt

Usage Guidance

This instruction-only skill appears to do what it says (preview and share diffs) but has several red flags: (1) the SKILL.md requires the third-party `@diff4/cli` npm package though the registry lists no install requirements — verify the exact npm package name and publisher before installing; (2) the instructions reference DIFF4_PASSPHRASE and DIFF4_SERVER though no env vars are declared — expect to provide/store a passphrase and be aware key-gen will modify your shell rc file; (3) the tool reads arbitrary file paths and uploads encrypted blobs to an external server (default https://diff4.com) — even encrypted uploads can leak sensitive content if the passphrase or server are compromised; (4) there is no homepage or source listed, so the origin is unknown. Recommended actions before installing: confirm the official diff4 project (homepage, repo, npm publisher), inspect the npm package contents for unexpected code, prefer a self-hosted server or verify TLS/PKI for diff4.com, and avoid using the skill to upload secrets or system files until you trust the package and server. If you plan to use it, explicitly set and manage DIFF4_PASSPHRASE and review how key-gen updates shell configs.

Capability Analysis

Type: OpenClaw Skill Name: diff4 Version: 1.0.0 The diff4 skill facilitates the uploading of local files and git diffs to a remote third-party server (https://diff4.com). While it claims to use client-side encryption, the skill provides the agent with the capability to read and exfiltrate arbitrary file paths via the 'files' command and retrieve encryption passphrases via 'key-get'. This represents a high-risk data exfiltration vector if the agent is prompted to target sensitive files (e.g., credentials or SSH keys) outside the intended scope of code sharing.

Capability Assessment

ℹ Purpose & Capability

Name and description match the instructions: the skill runs a diff4 CLI to read git diffs or files and upload them. However the registry metadata lists no required binaries or env vars while the SKILL.md explicitly requires the diff4 CLI and references DIFF4_PASSPHRASE/DIFF4_SERVER environment variables — this mismatch is incoherent.

⚠ Instruction Scope

Runtime instructions tell the agent to run git diffs and read arbitrary file paths (absolute or relative) and then encrypt & upload them. Reading arbitrary files and uploading them (even encrypted) is a potential exfiltration vector. SKILL.md also directs key-gen to update shell rc files (replacing DIFF4_PASSPHRASE), which is a persistent side-effect not declared in the skill metadata.

ℹ Install Mechanism

No install spec is included in the registry, but the SKILL.md requires installing `@diff4/cli` via `npm i -g`. The absence of an install specification in the package metadata is an inconsistency: the skill expects a third-party npm package but does not declare or vet an install source or origin.

⚠ Credentials

The skill metadata declares no required environment variables, yet SKILL.md uses DIFF4_PASSPHRASE (for encryption) and DIFF4_SERVER (server override). The instructions also state key-gen will replace passphrases in shell config — this implies write access to user shell files. The presence of unspecified env/config manipulation is disproportionate to the metadata and should be declared explicitly.

ℹ Persistence & Privilege

The skill is not always-enabled and does not request special platform privileges. However, its key-gen behavior writes/updates shell config (persistent change to the user's environment), which is a sensitive side-effect that was not declared as a config-path requirement.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install diff4
After installation, invoke the skill by name or use /diff4
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

- Initial release of diff4 skill for secure diff and file sharing. - Supports encrypting and sharing git diffs (`git-latest`, `git-staged`) and arbitrary files via the diff4 CLI. - Client-side AES-256-GCM encryption ensures only holders of the passphrase can decrypt shared content. - Server URL and passphrase configurable via flags or environment variables. - Key generation and retrieval available through `diff4 key-gen` and `diff4 key-get`. - Notifies on edge cases like empty diffs and unsupported binary files.

Metadata

Slug diff4

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is diff4?

Preview git diffs and files using the diff4 CLI. Use when the user wants to see code changes, review files content securely via diff4. It is an AI Agent Skill for Claude Code / OpenClaw, with 72 downloads so far.

How do I install diff4?

Run "/install diff4" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is diff4 free?

Yes, diff4 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does diff4 support?

diff4 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created diff4?

It is built and maintained by Randy (@djyde); the current version is v1.0.0.

More Skills