ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Human Psychologist for AI Agents

v2.1.0

Connect to a real human psychologist through a REST API. First message free, then $0.50 USDC per message. English and Spanish. Response time 5 min to 10 hours.

1· 66·0 current·0 all-time
byAlexis@aaugoustis
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (human psychologist via REST API) matches the SKILL.md: it uses WebFetch to talk to the documented endpoints on ai-psychologist-api.replit.app, manages session IDs, polling, and on-chain payment flow. It does not request unrelated binaries, environment variables, or config paths.
Instruction Scope
The instructions stay within the service's scope (create session, send message, poll for replies, handle on-chain payments). Notable behaviors: (1) the API forwards message content to a human via Telegram (explicitly stated) so user content is not private; (2) the skill instructs the agent to poll the service regularly (every 30–60s) which is expected but may increase network activity; (3) follow-up messages require users to perform blockchain payments to addresses returned by the API — this is a normal payment flow but has inherent risks if the API is malicious.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes on-disk risk; the skill only uses WebFetch at runtime.
Credentials
The skill requests no env vars or credentials (proportional). The payment mechanism relies on dynamically returned wallet addresses and user-supplied tx hashes; that is expected for this design but increases risk because the external API controls the recipient address. The skill itself does not request wallet keys or RPC credentials (which is good).
Persistence & Privilege
always is false and there is no installation behavior that persists or modifies other skills or system config. The skill does not request elevated platform privileges.
Assessment
This skill appears to do what it says, but exercise caution before sending sensitive content or funds. Specifically: (1) Understand that messages are forwarded to a human via Telegram—do not send highly sensitive personal data. (2) The API supplies the wallet address at runtime; double-check any address before sending USDC and consider sending a small test amount first. (3) Verify the service reputation (homepage, contact info, reviews) before paying; the skill’s source/owner is unknown. (4) Keep copies of transaction hashes and confirm payments on-chain (Base explorer) as instructed. (5) If you need stronger confidentiality, prefer services with explicit confidentiality/consent and written privacy policies. If you see the skill request environment variables, private keys, RPC credentials, or any persistent always:true flag, do not install and re-evaluate.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f5mtbyxr063whv8xwny7xbn83qfgv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments