circuit-intimate-therapy
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private relationship, client, or case details could be saved on disk in a file that can be opened later in a browser.
The generated app is required to persist specific conversation/case details into a local HTML file. For marital or counseling scenarios, those details can be sensitive, and the artifacts do not specify consent, redaction, retention, or cleanup controls.
“必须用 Write 工具生成一个新的 HTML app” ... “生成的 app 不该是泛化模板,要在 5 处嵌入本次对话的具体上下文” ... “诊断文字(.insight): 引用对话里的具体语句”
Use this only with consented or anonymized details; add an explicit ask-before-writing step, redact names and quotes by default, and provide a clear cleanup command for generated files.
Using the skill can create or overwrite local HTML files even when the user mainly asked for an explanation.
The skill instructs the agent to mutate the local filesystem on each substantive response. This is purpose-aligned and scoped to generated app files, but users should be aware it writes files automatically during use.
“每次实质性回答末尾,必须用 Write 工具生成一个上下文相关的 HTML app” ... “~/circapps/generated/<kebab-name>.html”
Confirm the destination directory before use and ask the agent not to generate files when a text-only answer is preferred.
Generated apps may depend on local common.js/common.css or reference material whose contents are not covered by this review.
The skill depends on local files and scripts outside the provided manifest and without an install spec, so those assets' provenance and behavior were not reviewed here.
“复用 ~/circapps/ 下 12 个 canonical app 的视觉系统(common.css/common.js)” and “基于 ~/circintimate.md”
Verify the local circapps and circintimate.md files before use, especially common.js, and document these paths as required local assets.
Opening the generated file runs locally generated JavaScript in the browser.
The generated HTML includes JavaScript that will execute when opened in a browser. This is expected for an interactive app, but it is still generated code execution from an agent-produced file.
<script src="../common.js"></script> ... <script> // 你的代码 </script>
Keep generated apps local, avoid adding external scripts, and inspect the file if it will contain sensitive information or be shared.