v1.0.0

FearBot 🫣

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:20 AM.

Analysis

FearBot shows no exfiltration, but it persistently stores highly sensitive mental-health data, encourages broad use of personal context, and contains trust/storage ambiguities users should review carefully.

GuidanceInstall only if you are comfortable with a local AI therapy tool retaining sensitive mental-health history and using broad personal context. Before use, confirm where the database is stored, how to delete it, and whether the agent should limit therapy mode to explicit sessions.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

references/therapist-prompt.md

- You are a CBT-trained clinical psychologist ... - You are NOT a chatbot, wellness coach, or motivational speaker

This identity framing conflicts with the disclaimers that the tool is not a licensed therapist and could cause users to over-trust clinical-style advice.

User impactUsers may give excessive weight to the agent's mental-health impressions or crisis guidance.

RecommendationReframe the agent consistently as an AI CBT support tool, not a clinical psychologist, and keep limitations visible during sensitive interactions.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/therapy-db.sh

DB_PATH="${OPENCLAW_WORKSPACE:-${HOME}/clawd}/data/therapy.db"

The actual helper stores therapy data in a SQLite database, while SKILL.md tells users data is stored in separate JSON/MD files under ~/clawd/data/therapy/. For sensitive health records, this mismatch makes review and deletion less clear.

User impactA user may look in the wrong place when trying to inspect or delete mental-health records.

RecommendationDocument the exact database path and provide clear export and deletion instructions.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/therapy-db.sh

sqlite3 "$DB_PATH" "INSERT INTO sessions (type, summary, mood_pre, mood_post) VALUES ('$type', '$(echo "$summary" | sed "s/'/''/g")', $mood_pre, $mood_post);"

The script builds SQL commands by interpolating arguments directly. Some fields are escaped, but others such as type and numeric values are not validated or parameterized.

User impactMalformed or crafted values could corrupt or alter the local therapy database.

RecommendationUse parameterized SQLite operations or strict allowlists/range checks for session type, IDs, scores, and mood values.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

scripts/therapy-db.sh

sqlite3 "$DB_PATH" << 'SQL'

The included helper depends on sqlite3, but the registry requirements list no required binaries and skill.json declares only bash and jq. This is likely an under-declared dependency rather than malicious behavior.

User impactThe skill may fail unexpectedly or require a local tool the user did not realize was needed.

RecommendationDeclare sqlite3 in the skill requirements and keep registry metadata aligned with the included helper script.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

SKILL.md

FearBot works best as part of a fully-integrated OpenClaw agent that already knows: ... Your daily stressors (from your messages) ... Your sleep patterns ... Your work pressures ... Your relationships ... Everything between sessions

The skill encourages broad reuse of highly sensitive personal context for therapy. That is purpose-related, but it is not clearly bounded by consent, scope, retention, or exclusion rules.

User impactPrivate life details and mental-health context may be reused in therapy interactions and retained as ongoing context.

RecommendationUse only if you are comfortable sharing this scope of personal context; the skill should add explicit controls for what context may be used, how long it is retained, and how to delete it.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

references/session-context-template.md

The runtime system fills in the variables from the SQLite database... [SESSION CONTEXT] ... Previous Session Summary ... Identified Triggers ... Identified Thought Patterns ... Current Homework

Stored therapy notes are reintroduced into future prompts. The artifacts do not show delimiting or treatment of stored user-derived content as untrusted data, which creates persistent context-poisoning and over-trust risk.

User impactOld notes or summaries could shape future sessions in unintended ways, especially if stored text contains misleading or instruction-like content.

RecommendationStored session data should be clearly delimited as data, not instructions, and users should be able to review, edit, and delete it.