buildlog

Potential credential exposure in configuration

Documentation instructs users to add 'apiKey' directly in JSON configuration files. These configuration files are often committed to version control systems, exposing API credentials. No guidance on using environment variables or secure credential storage.

No server implementation provided for security review

The repository only contains documentation (SKILL.md) and metadata (_meta.json). No actual server code is present to validate input handling, authorization checks, or security controls. Cannot verify if the referenced repository (https://github.com/buildlog/openclaw-skill) implements secure practices.

Uncontrolled data exfiltration risk

The skill uploads 'coding sessions' including file contents to an external service (buildlog.ai) with 'includeFileContents: true' as default. No evidence of input validation on what files get uploaded. Users may inadvertently upload sensitive files (credentials, private keys, customer data) without explicit file-by-file consent.

Insufficient access control guidance

Configuration shows 'defaultPublic: true', meaning recordings are public by default. Users may unknowingly share proprietary code, internal implementation details, or sensitive debugging sessions. No clear warnings about what should not be recorded.

Arbitrary file inclusion without size validation

maxFileSizeKb parameter suggests files are included in uploads, but 100KB default is quite large and no validation shown for file types. Could upload binary files, executables, or files with embedded credentials.

Lack of input sanitization specification

Commands accept user input for titles, notes, and annotations ('Start a buildlog [title]', 'Add a note: [text]'). No documentation of input validation, length limits, or sanitization. Potential for injection attacks if these inputs are used in file paths, commands, or database queries.

No authentication model described

Repository link mismatch

Unclear data retention policy