EmoClaw
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: emoclaw Version: 1.0.6 The OpenClaw skill 'emoclaw' is designed with strong security and privacy features. It explicitly declares and controls network access (opt-in to Anthropic API for labeling, with redaction and user consent). Critical protections like path validation (`extract.py`) prevent arbitrary file reads, and sensitive data redaction (`config.py`) mitigates credential leakage. All subprocess executions use safe command lists, and YAML parsing uses `safe_load`. The `SKILL.md` instructions are clear and do not contain any malicious prompt injection attempts, and the injected emotional state block is structured data derived from the model, not arbitrary input. The overall design demonstrates a proactive approach to security for an AI agent skill.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Past interactions can influence later agent behavior through a persistent synthetic emotion state.
The skill intentionally reuses conversation-derived state across sessions and places it into future prompt context.
producing a persistent emotional state that evolves with every interaction... injected into the system prompt as an `[EMOTIONAL STATE]` block
Install only if you want this persistent behavior; keep the state file private and reset/delete it when you no longer want prior interactions to influence responses.
If you run auto-labeling, selected identity or memory passages may leave your machine for scoring.
The optional labeling workflow uses a Claude API key and may send extracted passages to Anthropic.
"ANTHROPIC_API_KEY": {"required": false, "description": "Claude API key for auto-labeling passages..."}Review `bootstrap.source_files`, `bootstrap.memory_patterns`, and redaction settings before labeling; use manual labels or skip labeling if the source files are sensitive.
Any local process with permission to access the socket could submit messages that update the persistent emotional state.
The daemon exposes a local Unix socket protected by filesystem permissions, not by an application-level authentication protocol.
server.bind(socket_path) server.listen(1) os.chmod(socket_path, 0o660)
Run the daemon only in a trusted local environment, keep the socket in a private directory when possible, and tighten permissions if group access is not needed.
First setup or first use may depend on external ML package/model provenance unless you pin and cache the artifacts yourself.
The encoder loads a named sentence-transformer model, so users should verify or pre-cache the model artifact and dependency source.
self.model = SentenceTransformer(model_name, device="cpu")
Pin dependency versions and model revisions where possible, and pre-download/cache the model from a trusted source if offline or reproducible behavior matters.
The emotion engine can keep running after startup and continue updating state when called.
The daemon is a long-running local process by design.
while True:
conn, _ = server.accept()Start the daemon only when needed and make sure you know how to stop it and remove the socket/state files.