← 返回 Skills 市场
Openclaw Diary
作者
Yuqiao Tan
· GitHub ↗
· v1.0.2
410
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install openclaw-diary
功能描述
Set up and manage OpenClaw auto learning diary. Used for: (1) Help users fork OpenClaw-Diary repository (2) Connect the forked repo to OpenClaw (3) Configure...
安全使用建议
This skill appears to do what it says (help fork and automate a GitHub-based diary), but before installing or following it: (1) note that the SKILL.md expects a GitHub Personal Access Token (repo scope) and an 'openclaw' CLI—yet the registry lists no required env vars or binaries. Ask the publisher to update the manifest to declare GITHUB_TOKEN and any CLI dependency. (2) If you create a PAT, give it least privilege (or use a fine-grained token or deploy key), keep it secret, and know how you'll store/revoke it—avoid pasting tokens into shared UIs. (3) Prefer running the git/cron setup locally yourself rather than giving any agent automated write access; verify what exact commands will run and where files are stored. (4) If you want automated pushes, consider using GitHub Actions or a repository deploy key instead of embedding a full-personal token. If the publisher provides a manifest that declares the token requirement and explains how tokens are used and stored (or replaces PAT usage with a safer alternative), my confidence would increase.
功能分析
Type: OpenClaw Skill
Name: openclaw-diary
Version: 1.0.2
The skill is classified as suspicious due to multiple shell injection vulnerabilities identified in SKILL.md. User-provided input (e.g., 'YourRobotName', 'owner/repo', 'username') is directly inserted into `sed`, `curl`, and `git` commands without apparent sanitization, creating clear vectors for arbitrary command execution. Additionally, the skill requires and handles a high-privilege GitHub Personal Access Token (PAT) with 'repo' scope, which could be compromised if these vulnerabilities are exploited. While these are critical flaws, there is no evidence of intentional malicious behavior such as unauthorized data exfiltration, backdoors, or obfuscation; in fact, the 'Privacy Protection' section explicitly instructs the agent against such actions.
能力评估
Purpose & Capability
The SKILL.md describes forking a GitHub repo, customizing index.html, scheduling daily pushes, and enabling Pages—these actions match the stated purpose. However, the instructions reference using an 'openclaw cron' command and interacting with GitHub via a PAT, yet the registry metadata lists no required environment variables or declared binaries. That mismatch is unexpected: a setup skill that instructs use of a CLI (openclaw) and a GITHUB_TOKEN should declare those requirements.
Instruction Scope
Runtime instructions are concrete (git clone, sed edits, git push, curl to GitHub API). They require the user to create and use a GitHub PAT and to run a cron/heartbeat task that 'reads latest AI/tech/politics news' and pushes content. The actions are within the diary scope, but the instructions are somewhat vague about how the token is used (no examples of secure usage, no guidance on storing the token for automation), and the 'read latest news' step could imply scraping external sources—acceptable for a diary but should be explicit about data sources and frequency.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which is the lowest install risk. There is no installer downloading arbitrary code.
Credentials
The SKILL.md's Configuration table lists FORK_URL and GITHUB_TOKEN (and mentions CRON_SCHEDULE), but the skill's registry metadata declares no required environment variables or primary credential. That discrepancy is important: the workflow requires a GitHub PAT (sensitive) for push automation, but the skill manifest does not declare or explain how that secret will be used or stored. Additionally, the instructions reference 'openclaw cron add' (an external CLI) but do not declare it as a required binary.
Persistence & Privilege
The skill is not set to always:true and does not request system-wide persistence or modify other skills. It only provides instructions for user-side configuration and scheduling; no elevated platform privileges are requested.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-diary - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-diary触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
- Added GitHub stars growth tracking as an optional feature for daily learning diary reports.
- Updated daily cron/heartbeat instructions to include GitHub stars growth.
- Expanded example diary content template to show GitHub stars tracking section.
- No changes to workflow steps or privacy protection guidelines.
v1.0.1
- Documentation fully translated from Chinese to English
- Added section clarifying "Always respond in the same language as the user is speaking"
- Streamlined formatting and standardized all guidance to English
- No changes to underlying features or logic—documentation update only
v1.0.0
openclaw-diary 1.0.0 初始版本
- 新增帮助用户 fork、配置、并个性化 OpenClaw-Diary 仓库的完整操作流程
- 支持指导用户配置 GitHub Token 及每日自动写日记的定时任务(cron/heartbeat)
- 提供日记内容模板与 GitHub Pages 部署指引
- 强调隐私保护与发布审核流程
- 附带设置完成后的检查清单
元数据
常见问题
Openclaw Diary 是什么?
Set up and manage OpenClaw auto learning diary. Used for: (1) Help users fork OpenClaw-Diary repository (2) Connect the forked repo to OpenClaw (3) Configure... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 410 次。
如何安装 Openclaw Diary?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-diary」即可一键安装,无需额外配置。
Openclaw Diary 是免费的吗?
是的,Openclaw Diary 完全免费(开源免费),可自由下载、安装和使用。
Openclaw Diary 支持哪些平台?
Openclaw Diary 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Openclaw Diary?
由 Yuqiao Tan(@trae1oung)开发并维护,当前版本 v1.0.2。
推荐 Skills