Mini Diary

AI-powered minimal diary with smart auto-tagging and optional cloud sync. Perfect for daily journaling, work logs, or project tracking.

What to do before installing: 1) Inspect SKILL.md raw content for hidden unicode control characters (use a hex/UTF-8 viewer or `cat -v`, `xxd`) and remove/ask author for a clean copy if any are present. The scanner found 'unicode-control-chars' which could be an obfuscation attempt or a false positive from emojis. 2) Verify source: the package.json/SKILL.md reference a GitHub repo but registry source shows unknown. Confirm the upstream repository and review recent commits or open issues; prefer installing from a verified upstream. 3) Test in a sandbox: run the scripts locally on a throwaway diary file in a non-privileged environment (e.g., set DIARY_FILE to a test file in a temp dir) and run test_security.sh to exercise safety checks. 4) Be careful with NextCloud instructions: they include chown and docker exec commands that require elevated privileges. Only set NEXTCLOUD_SYNC_DIR to a directory you control and avoid running recommended chown/docker commands unless you understand and accept the privilege implications. 5) Review install.sh behavior: it copies the repository into the agent skills directory. Confirm OPENCLAW_HOME is correct and verify the copied files and file ownership after installation. The installer only sets executable bits for files owned by the user, which is safer than unconditional chmod. 6) If you plan to allow autonomous agent invocation, note that the skill can be invoked by the agent to read/write diary files in your home directory (as designed). Ensure you are comfortable with that access and the default DIARY_FILE location. If any of the above checks fail or you find hidden control characters, treat the package as untrusted and do not install until the author provides a clean, verifiable source and explanation.

Type: OpenClaw Skill Name: mini-diary Version: 0.1.2 The Mini Diary skill demonstrates a strong commitment to security, explicitly addressing and fixing critical vulnerabilities related to arbitrary file writes in version 0.1.2, as detailed in `CHANGELOG.md`. All shell scripts (`add_note.sh`, `install.sh`, `search_diary.sh`) implement robust path validation to prevent access or modification of system directories, utilize strict bash modes (`set -euo pipefail`), and perform safe file operations (e.g., `chmod` with ownership checks in `install.sh`). The `test_security.sh` script further confirms these defenses. There is no evidence of intentional malicious behavior such as data exfiltration, unauthorized remote execution, persistence mechanisms, or prompt injection attempts against the OpenClaw agent. Instructions in markdown files (e.g., `chown`, `docker exec`) are clearly for the user's manual setup, not for the agent to execute directly under its `allowed-tools` scope.