Skillv0.1.2

ClawScan security

Thymos — Emotional Engine · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 7:15 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (modulating agent tone via a local emotional state) matches its instructions, but it deliberately instructs the agent to accept external 'prompt_injection' content from a file/daemon — a powerful prompt‑override capability that raises meaningful risk and needs careful review before enabling.
Guidance: This skill is designed to let external, local data (and an optional background daemon) influence your agent's system prompt and tone. That behavior is coherent with an 'emotion engine' but it is effectively a prompt‑injection mechanism: any process or person that can write ~/Documents/thymos/data/emotional_state.json (or the running daemon's endpoints) can change how the agent behaves. Before installing or enabling the daemon or OpenClaw hook: 1) Review the upstream GitHub code yourself (or have someone you trust audit it) — do not run blindly. 2) Keep proactive messaging disabled unless you trust giving a Discord token to the service. 3) If you use the file-based mode, restrict file permissions (owner-only write) and consider using a directory outside of world-writable locations. 4) If integrating with OpenClaw, be aware the hook will forward every incoming/outgoing message to the daemon. 5) If you want to be cautious, use read-only evaluation of the JSON (inspect it manually) rather than automatically applying its 'Tone' to system prompts, or run the daemon in an isolated environment (container/VM) and firewall its network access. The pre-scan found a 'system-prompt-override' pattern in the SKILL.md — this is expected for the feature but also the primary reason to treat the skill as suspicious rather than benign.
Findings: [system-prompt-override] expected: The repository and SKILL.md intentionally instruct the agent to read an external 'prompt_injection' field and apply the 'Tone:' line to the LLM prompt. That is exactly a system-prompt override pattern — expected for a feature that modifies tone, but also the single highest-risk element because it hands external data authority to change agent behavior.

Review Dimensions

Purpose & Capability: noteName/description (emotion engine that shapes agent tone) aligns with the instructions: the agent is told to read ~/Documents/thymos/data/emotional_state.json and apply its prompt_injection/Tone as style guidance. The optional daemon, relationship memory, circadian modulation, and proactive messaging are consistent with an emotional-state engine. No unrelated credentials or binaries are requested.
Instruction Scope: concernSKILL.md explicitly tells the agent to read a file in the user's home directory before every response and to 'apply the prompt_injection field' and 'Follow the Tone line as concrete style guidance.' That is a prompt-injection mechanism: external, writable content is given authority to change system-level behavior. The SKILL.md's instructions therefore grant outside data direct influence over the agent's system prompt/behavior, which is a high-impact capability and a scope creep risk even if it's 'intended'.
Install Mechanism: noteThe registered skill is instruction-only (no install spec), so nothing is written to disk by the registry. The documentation suggests cloning a GitHub repo and running npm install/npm start if the user opts into the daemon — a normal optional install path. Because the registry doesn't itself perform the install, the immediate risk is low, but if you choose to clone/run the upstream daemon you must review that repository (network fetch, npm deps, and runtime behavior).
Credentials: noteThe skill requires no environment variables or credentials for basic, file-based operation. Optional features (proactive Discord messaging) require a Discord bot token placed in config/proactive.json; that's documented and opt-in. The number and type of credentials requested (none by default) are proportionate, but adding the Discord token gives the daemon external network capability and should be treated carefully.
Persistence & Privilege: noteThe skill does not force presence (always:false). Persistence (pm2, background daemon, OpenClaw hook) is optional and user-initiated. However, enabling the OpenClaw hook or running the daemon creates a persistent process that will receive every incoming/outgoing message (POST /webhook/stimulus and /self-feedback) and can proactively message Discord if configured — a nontrivial persistent integration that changes agent behavior over time.