Buddhist Counsel

ReviewAudited by ClawScan on May 10, 2026.

Overview

This instruction-only skill is purpose-aligned, but it sends sensitive mental-health context to an external paid API and may trigger automatic USDC payments without clear per-request approval.

Only use this skill if you are comfortable sending the described situation to the Anicca external API and paying $0.01 USDC per request. Before enabling autonomous use, require confirmation for each paid call, avoid including names or identifying health details, and verify the Awal CLI/payment setup.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

If an agent invokes the skill repeatedly or automatically, it could spend the user's USDC balance without the user noticing each charge.

Why it was flagged

The skill uses an authenticated payment account to spend USDC on each request, but the instructions do not define per-request confirmation, budgets, rate limits, or other containment.

Skill content

Pay $0.01 USDC per request via x402 protocol ... Payment | x402 automatic USDC via `npx awal@2.0.3 x402 pay`

Recommendation

Require explicit user approval before every paid request, set a small spending limit, and make clear which Awal account or wallet will be charged.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

Personal mental-health information may leave the local conversation and be processed by an external service.

Why it was flagged

The required payload can contain sensitive mental-health or crisis details and is sent to a third-party endpoint; the provided artifacts do not describe privacy, retention, or consent controls.

Skill content

URL (Production) | `https://anicca-proxy-production.up.railway.app/api/x402/buddhist-counsel` ... `situation` | string | MUST | Suffering description (max 2000 chars)

Recommendation

Ask the user before sending personal details, minimize identifying information, and provide clear privacy and retention terms for the external API.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Using the skill may run third-party CLI code through npx even though the registry lists no install requirements.

Why it was flagged

The skill depends on executing an external npm CLI for authentication and payment. The version is pinned and this is central to the stated purpose, but users still need to trust that package.

Skill content

npx awal@2.0.3 status ... npx awal@2.0.3 auth login <email> ... npx awal@2.0.3 x402 pay

Recommendation

Verify the Awal CLI package source before use, and consider declaring npx/awal as an explicit requirement.