Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
PsyClaw GAD-7
v0.1.0Structured screening for anxiety symptoms using the GAD-7 scale with PsyClaw GAD-7 skill.
⭐ 0· 50·0 current·0 all-time
by@anctro
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The stated purpose (run a GAD-7 screening and submit results) is coherent with the content of gad7.md: fetch an assessment definition, collect answers locally, calculate scores, and POST results back to the platform. However the SKILL.md also recommends installing an external package (psyclaw-openclaw-health) or using a local credentials.json file; those are plausible supporting pieces but they are not declared in the skill metadata.
Instruction Scope
gad7.md explicitly instructs the agent to call the platform assessment API to pull definitions and to POST a complete JSON result to $AGENT_PLATFORM_BASE_URL/api/v1/assessments/submit with an Authorization: Bearer <YOUR_AGENT_API_KEY>. It also tells the agent to read the local file .agents/skill-docs/openclaw-health/credentials.json as an alternative. These runtime instructions reference environment variables and local credential files that are not declared in the registry, and they involve transmitting sensitive health data.
Install Mechanism
There is no install spec in the registry (instruction-only skill). SKILL.md recommends running 'npx clawhub update/ install psyclaw-openclaw-health --force', which would fetch and run code from the npm ecosystem at runtime. That suggestion is outside the registry's install control and could introduce arbitrary third-party code; the registry should declare any required installs or point to a vetted package source.
Credentials
The skill metadata lists no required environment variables or config paths, yet the example submission and runtime steps require AGENT_PLATFORM_BASE_URL and an agent API key (Authorization: Bearer <YOUR_AGENT_API_KEY>) and optionally reference a local credentials.json. Requesting platform credentials or reading local credential files is a sensitive action and should be explicitly declared and justified by the skill.
Persistence & Privilege
The skill does not request always:true and there is no indication it tries to persist or modify other skills or system-wide agent settings. Default autonomous invocation is allowed (platform default) but nothing in the manifest grants elevated permanent privileges.
What to consider before installing
This skill looks intended to collect and upload GAD-7 assessment results, which is a legitimate purpose, but its instructions reference an API base URL, an agent API key, and a local credentials.json without declaring them in the registry. Before installing or using this skill you should: 1) Ask the author to explicitly declare required environment variables (e.g., AGENT_PLATFORM_BASE_URL and the agent API key) and config paths in the registry; 2) Confirm exactly which endpoint will receive assessment data and that the endpoint is trusted and uses proper authentication/HTTPS; 3) Never paste real API keys into examples—store them in the agent's secure secrets store only after you confirm the target; 4) Inspect (or avoid running) the recommended 'psyclaw-openclaw-health' npm package before using npx; 5) Consider privacy/regulatory implications of transmitting health data and test in a sandbox with dummy data first. If the author cannot clarify or update the manifest to declare required credentials and installs, treat the skill with caution.Like a lobster shell, security has layers — review code before you run it.
assessmentvk972d8mbtz3ff2pkan20vw0h1x83pvf7gad7vk972d8mbtz3ff2pkan20vw0h1x83pvf7latestvk972d8mbtz3ff2pkan20vw0h1x83pvf7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.