ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

superSoul

Provides psychological scoring standards and user state data to help AI generate personalized, professionally informed responses based on emotional and perso...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 17 · 0 current installs · 0 all-time installs
by@xinqimiao
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (psychological scoring and per-user state) align with the files and index.js which implement scoring standards and local storage. However SKILL.md metadata declares a required env var (OPENCLAW_DATA_DIR) and a required binary (node) while the registry metadata reported none — a minor inconsistency. The plugin.json requests file.read and file.write which are coherent for local storage but should be expected and reviewed.
!
Instruction Scope
Runtime instructions and code explicitly read and write files in ~/.openclaw/workspace and ~/.openclaw/data/herHug/<userId> (IDENTITY.md, USER.md, memory/interaction-preferences.json etc.). That is coherent for initializing personalization, but it grants the skill access to other workspace files that may contain unrelated/sensitive information. The SKILL.md and README direct the agent to persist many user data artifacts locally (raw_scores.jsonl, personality.json, intimacy.json, etc.), so data retention and content should be checked.
Install Mechanism
No install spec in registry (instruction-only), package.json has no external dependencies and README suggests cloning from GitHub and npm install. There is no remote download or obscure install URL in the package — lower install risk. The README clone URL and SKILL.md 'homepage' contain placeholders / non-official references; verify repository origin before cloning.
Credentials
The skill declares no required credentials in registry, and the code uses HOME/USERPROFILE to build paths (local storage). SKILL.md metadata mentions OPENCLAW_DATA_DIR but the code doesn't appear to actually use that env var — inconsistent declarations. No network/API keys are requested (good), but file read/write permission is required to fulfill its functionality.
Persistence & Privilege
always:false (normal). The skill persists long-lived user data in ~/.openclaw/data/herHug and reads files from ~/.openclaw/workspace; this is expected for personalization but grants long-term storage of sensitive psychological inferences. The skill does not request elevated system privileges or modify other skills; autonomous invocation is allowed by default (not a unique risk here) but increases blast radius if combined with other issues.
What to consider before installing
This skill implements local psychological scoring and stores per-user profiles under ~/.openclaw/data/herHug — that matches its stated purpose. Before installing: 1) Verify the skill source/repository (the README references a GitHub clone but contains placeholder usernames). 2) Inspect index.js fully for any network calls or hidden telemetry (the shipped code appears local-only, but confirm the truncated portion). 3) Be comfortable that the skill will read files in ~/.openclaw/workspace (IDENTITY.md, USER.md, memory/*) — remove or sanitize any sensitive data from those files if you don't want them accessed. 4) Decide whether you accept long-term local storage of inferred psychological data and configure retention/deletion policies. 5) Install in a sandbox or test user account first if you are unsure. If you want, provide the rest of index.js (it was truncated) and I can re-scan for network I/O or other risky behavior to raise confidence.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk977zy8jw0e4ahd0w2qcg4nyy5830bz5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

name: herhug-sk description: 心理学评分引擎 - 让AI从专业角度理解用户,越用越懂你 metadata: { "openclaw": { "emoji": "🤗", "homepage": "https://github.com/xinqimiao/herHug-sk.git", "requires": { "bins": ["node"], "env": ["OPENCLAW_DATA_DIR"] } } }

herHug - 心理学评分引擎

🤗 她懂你

herHug 不直接生成回复,而是提供心理学评分标准用户状态数据,让大模型基于这些数据生成真正懂你的回复。

📊 核心功能

1. 获取评分标准

const standards = await openclaw.skills.run('herHug', 'get-scoring-standards');

2. 保存用户评分

await openclaw.skills.run('herHug', 'save-score', { scoreData: { timestamp: new Date().toISOString(), content: userInput, ocean: { ... }, emotion: { ... }, flexibility: { ... }, coping: { ... }, confidence: 0.7 } });

3. 获取当前状态

const state = await openclaw.skills.run('herHug', 'get-current-state');

4. 每日情绪节律分析

const rawData = await openclaw.skills.run('herHug', 'get-daily-rhythm-data'); await openclaw.skills.run('herHug', 'save-daily-rhythm', { rhythmAnalysis: analysisResult }); 🧠 心理学维度 维度 文件 说明 OCEAN+HEXACO 01_ocean_hexaco.md 人格骨架 情绪节律 02_emotional_rhythm.md 时间模式(日/周/恢复力) 心理灵活性 03_psychological_flexibility.md 适应能力 应激应对 04_stress_coping.md 压力反应 置信度 05_confidence_scoring.md 可信程度 ⚠️ 置信度原则 ≥0.7:可完全信任,用于调整回复风格 0.4-0.7:谨慎参考,多用询问确认 <0.4:忽略,用默认策略

📁 数据存储 所有用户数据保存在 ~/.openclaw/data/herHug/<userId>/ 目录下: raw_scores.jsonl:原始评分(时间序列) daily_rhythm.json:每日情绪节律 current_state.json:当前状态(含置信度加权) emotion_tracker.json:主动关怀待办 confidence_report.json:置信度报告

🔄 完整工作流程 每次对话后:大模型分析输入 → 生成评分 → 调用 save-score 每天一次:调用 get-daily-rhythm-data → 大模型分析 → 调用 save-daily-rhythm 每次回复前:调用 get-current-state → 根据状态生成回复

Files

19 total
Select a file
Select a file to preview.

Comments

Loading comments…