Skillv2.0.0

ClawScan security

Mental Health · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 17, 2026, 6:49 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is internally consistent with a local mental-health CLI: it contains shell scripts that provide mood checks, breathing exercises, journaling and tips, does not request credentials, and does not make external network calls.
Guidance: This skill appears to do what it claims and does not contact external servers or ask for credentials. Before installing, note that it stores journal entries locally (/tmp and a per-user data dir or MENTAL_HEALTH_DIR if set) so those files can contain sensitive personal data — consider where you want them stored and set MENTAL_HEALTH_DIR appropriately. Also verify how the platform will expose the scripts (SKILL.md examples refer to 'mental-health' commands but the repo provides bash scripts), and review/inspect the shipped scripts yourself if you want to be certain about invocation details. If you or someone using it is at risk, follow the emergency hotlines listed in the tool and seek professional help; this tool is explicitly not a substitute for clinical care.

Purpose & Capability: okName and description match the actual files and behavior: the scripts implement mood checks, breathing exercises, journaling, resources and stress-management guidance. No unrelated credentials, binaries, or surprising capabilities are requested.
Instruction Scope: noteSKILL.md and the scripts limit actions to printing guidance and writing/reading local journal files. The scripts write to /tmp and a per-user data directory (~/.local/share or MENTAL_HEALTH_DIR). Small mismatch: SKILL.md examples mention 'mental-health run' and 'mental-health help' while the provided scripts are invoked as 'bash mental.sh' or 'mental-health' style wrappers; verify how the platform will expose the script name. Otherwise there is no scope creep (no reading of unrelated system config or exfiltration).
Install Mechanism: okInstruction-only with shipped shell scripts; there is no install spec that downloads remote archives or runs package manager installs. No high-risk install mechanisms are present.
Credentials: okThe skill declares no required environment variables or credentials. One script optionally respects MENTAL_HEALTH_DIR/XDG_DATA_HOME for storage location, which is appropriate and limited in scope.
Persistence & Privilege: okSkill is not always-enabled and requests no elevated privileges. It persists user data locally (in /tmp and user data dir) which is expected behavior for journaling; it does not modify other skills or system-wide configs.