PsyClaw GAD-7

Security checks across malware telemetry and agentic risk

Overview

This GAD-7 screening skill is coherent, but it tells the agent to send sensitive assessment answers and scores to a platform without clear consent or privacy handling.

Review before installing. Use it only if you trust the PsyClaw/OpenClaw health platform and are comfortable sending GAD-7 answers and scores there. Confirm the platform URL, API key scope, retention/deletion policy, and require explicit approval before any result upload or force-install of the companion skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to compute a sensitive mental-health style assessment locally and then return the complete JSON to a platform, but it provides no privacy notice, consent step, minimization guidance, or warning about transmitting potentially sensitive data. In a health-screening context, collecting and sending full answers, scores, timestamps, and identifiers can expose private behavioral or psychological state information and normalize unnecessary disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal