Openclaw Diary Setup

OpenClaw Diary 日记系统安装向导。引导用户完成日记系统的初始化设置，包括人设选择、用户身份建立、存储配置和授权管理。 **立即触发当**：用户说「setup my journal」「初始化日记」「配置日记系统」「journal setup」「开始设置日记」。 **主动触发当**：用户首次尝试使用 d...

Things to check before installing/using this skill: - Metadata vs. behavior: The skill declares no required env vars, but the onboarding docs instruct collection of many credentials (Feishu, Notion, Google, Slack, Dropbox, Twitter). Treat credential collection as optional and only provide tokens when you explicitly intend to sync that service. - Filesystem & env changes: The flow creates directories (~/write_me/, ~/.openclaw/...), writes configuration and 'identity' files, and includes example code that appends export lines to your shell RC. Back up any existing configs and inspect exactly what will be written before allowing it. - Global package installs: SKILL.md tells the agent to run npm install -g for clawhub and MCP CLIs. If you don't want global installs, refuse or run them manually in a controlled environment (container/VM) first. - Credential storage: The design stores auth info under ~/write_me/01studio/me/auth/*.json — verify file permissions, encryption, and whether tokens will be persisted or can be removed/rotated. - Least privilege: Prefer the 'local only' setup path if you want to avoid cloud sync and credential exposure. If you do use imports/sync, provide one service at a time and verify importer behavior. - Run in isolation: If you plan to test, do so in an isolated environment (test account, VM, or container) to observe exactly what the onboarding agent executes. - Ask for changes: If you will install this skill, request that the publisher update registry metadata to list required env vars and to remove any automatic shell RC writes (or require an explicit confirmation step). If you want, I can: (a) extract a checklist of every path and file the skill will touch, (b) produce a minimal safe installation script limited to 'local only', or (c) draft exact prompts to refuse credential writing and global installs during onboarding.

Type: OpenClaw Skill Name: openclaw-diary-setup Version: 1.0.3 The skill bundle 'openclaw-diary-setup' (v1.0.3) functions as an onboarding wizard that performs several high-risk operations. According to SKILL.md, the agent is instructed to collect sensitive API credentials (App Secrets and Tokens for Feishu, Notion, and Flomo), modify the user's shell configuration files (~/.bashrc or ~/.zshrc) to persist environment variables, and execute global system commands (npm install -g clawhub). While these actions are aligned with the stated purpose of setting up a synchronized diary system, the automated handling of raw secrets and modification of system startup scripts by an AI agent constitutes a significant attack surface. No evidence of intentional data exfiltration or malicious backdoors was identified.