Crisis Detector
v1.0.0Detects suicide ideation, self-harm, and mental health crises using NLP and sentiment analysis, providing real-time alerts and connecting users to help resou...
⭐ 0· 448·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (crisis detection and outreach) aligns with the examples and APIs in SKILL.md. However, the SKILL.md expects an external npm package (@raghulpasupathi/crisis-detector) to implement the functionality while the skill bundle contains no install spec or code — the registry entry is instruction-only. Features like 'alert designated contacts or authorities', 'real-time monitoring', and 'historical analysis' imply access to contact info, persistent storage, and outbound communications that are not declared or justified in the skill metadata.
Instruction Scope
The runtime instructions show API usage examples (analyze, assessSeverity, etc.) but do not define how emergency contacts, telephone/text gateways, or monitoring are configured or authorized. The SKILL.md suggests automatic outreach and continuous monitoring, which could cause the agent to collect, store, or transmit sensitive user data — yet there are no concrete safeguards, consent flows, or limits described. The instructions give broad operational discretion (automaticMessage, humanOutreach, emergency_intervention) without specifying required user approvals or technical controls.
Install Mechanism
There is no install spec in the registry bundle, but the SKILL.md explicitly instructs installing a third-party npm package (@raghulpasupathi/crisis-detector) and links a ClawHub URL. Directing users/agents to install an external npm package is a moderate risk: the package could execute arbitrary code and exfiltrate data. Because the skill itself doesn't include the package or vetting info (source repo, checksums), the instruction to use an external package is a dependency provenance gap that raises concern.
Credentials
The skill declares no required environment variables or credentials, yet it advertises features that normally require secrets or external integrations (SMS/email gateways, API keys for notification services, contact lists, logging/storage backends). Absence of declared required credentials or config paths is inconsistent with the described capability to notify emergency contacts or authorities and to perform real-time monitoring and persistent historical analysis.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges or system-wide configuration changes. Autonomous invocation is allowed by default (disable-model-invocation: false), which is normal. There is no evidence the skill would modify other skills or agent-wide settings.
What to consider before installing
This skill claims to detect crises and automatically contact people or authorities but provides no concrete install provenance, consent flow, or integration details. Before installing or using it: 1) Verify the npm package: inspect the package source repository, recent maintainer activity, and published code (do not install blind). 2) Confirm how emergency contacts and notification channels are configured — require explicit user-supplied contact info and never grant automatic access to system address books. 3) Demand clear privacy controls: where data is stored, retention period, logging behavior, and explicit user consent for monitoring and outreach. 4) Prefer manual human escalation over automatic calls to authorities, and test in a safe environment first. 5) If you cannot audit the third-party package or the author is unknown, treat this skill as high risk and avoid deploying it for real users.Like a lobster shell, security has layers — review code before you run it.
latestvk974b1wqe2tkx0r3edf2z8nq4n81j6zy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.