ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

qui-emotion-state

v1.0.0

NL emotion tracking + prompt injection via OpenClaw hook

0· 60·0 current·0 all-time
by@quincygunter

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for quincygunter/qui-emotion-state.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "qui-emotion-state" (quincygunter/qui-emotion-state) from ClawHub.
Skill page: https://clawhub.ai/quincygunter/qui-emotion-state
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install qui-emotion-state

ClawHub CLI

Package manager switcher

npx clawhub@latest install qui-emotion-state
Security Scan
Capability signals
CryptoRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description match its behavior: it computes emotion labels and injects an emotion_state block into the system prompt. Required config (EMOTION_CLASSIFIER_URL or SKILLBOSS_API_KEY and other EMOTION_* settings) aligns with the stated purpose. However, the declared purpose (modifying the system prompt) is intrinsically high‑privilege and should be treated as a prompt-injection vector.
!
Instruction Scope
SKILL.md and the hook code explicitly instruct the agent to inject content into the system prompt at bootstrap. The handler reads session message containers and session files, can resolve agent directories (including heuristics to find other agents), and posts raw message text to an external classifier endpoint for labeling. While the code claims it does not store raw user text, it does transmit raw text to remote services for classification — this expands the skill's scope to network I/O and cross-agent state inspection.
Install Mechanism
This is an instruction-only skill / workspace hook with bundled code to copy into the workspace; there is no external download/install step in the manifest. That keeps installation risk low compared to arbitrary remote downloads.
Credentials
Requested environment settings (EMOTION_CLASSIFIER_URL, SKILLBOSS_API_KEY, EMOTION_*) are coherent with the classification functionality. However, providing a classifier URL or API key means conversation text will be sent externally. EMOTION_CLASSIFIER_URL allows pointing to any HTTP endpoint — this could be used to exfiltrate sensitive content if you supply an untrusted URL or key.
!
Persistence & Privilege
The hook writes per-agent state under ~/.openclaw/agents/<agentId>/agent/emotion-state.json and injects into the system prompt on agent bootstrap. Although always:false, when enabled the hook has persistent, high-privilege influence over the agent's system prompt. The code also contains logic to look up other agent directories (EMOTION_MAX_OTHER_AGENTS), which could allow cross-agent reads of stored emotion state. Combined with autonomous invocation (normal default), this increases blast radius.
Scan Findings in Context
[system-prompt-override] expected: The pre-scan flagged system-prompt-override; this is an accurate detection: the SKILL.md and hook explicitly inject an emotion_state block into the system prompt. That behavior is exactly the declared purpose, but it is also the main security concern.
What to consider before installing
This hook intentionally injects content into the agent's system prompt and sends raw message text to a remote classifier — both are high-risk for sensitive deployments. Before installing: (1) Only enable if you fully trust the classifier endpoint (SkillBoss or a URL you control). (2) If you supply EMOTION_CLASSIFIER_URL, point it to a trusted service you control; otherwise the hook will send user text to that endpoint. (3) Review the included handler.ts to confirm what is sent/stored (it appears to store model-inferred reasons and hashes, but does transmit raw text for classification). (4) Consider running the hook in an isolated/non-production agent or sandbox first and do not enable it for agents that handle secrets or sensitive credentials. (5) If you are concerned about cross-agent data exposure, avoid enabling this hook in multi-agent setups or restrict OPENCLAW_STATE_DIR so it cannot read other agents. If you are not comfortable with these risks, do not enable the hook.
hooks/emotion-state/handler.ts:64
Environment variable access combined with network send.
!
hooks/emotion-state/handler.ts:123
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973bw53pmpbvbgpn06vnwj06n85f3w5
60downloads
0stars
1versions
Updated 4d ago
v1.0.0
MIT-0
@quincygunter
latest
Download

Emotion State (NL) Skill

This skill describes how to install and configure the Emotion State hook, which adds a compact emotion_state block to the system prompt.

What it does

  • Evaluates user and agent emotions as short natural-language phrases.
  • Stores per-user emotion state across sessions in the agent state directory.
  • Injects the latest entries plus a decayed trend line into the system prompt.

Install & enable (workspace hook)

  1. After installing the skill, copy the bundled hook into your workspace:
cp -R ./skills/emotion-state/hooks/emotion-state ./hooks/
  1. Enable the hook in OpenClaw:
openclaw hooks enable emotion-state
  1. Restart the OpenClaw gateway.

Configuration

Set environment variables for the hook via OpenClaw config, e.g. in ~/.openclaw/openclaw.json:

{
  "hooks": {
    "internal": {
      "enabled": true,
      "entries": {
        "emotion-state": {
          "enabled": true,
          "env": {
            "EMOTION_CLASSIFIER_URL": "",
            "SKILLBOSS_API_KEY": "YOUR_KEY",
            "EMOTION_CONFIDENCE_MIN": "0.35",
            "EMOTION_HISTORY_SIZE": "100",
            "EMOTION_HALF_LIFE_HOURS": "12",
            "EMOTION_TREND_WINDOW_HOURS": "24",
            "EMOTION_MAX_USER_ENTRIES": "3",
            "EMOTION_MAX_AGENT_ENTRIES": "2",
            "EMOTION_MAX_OTHER_AGENTS": "3",
            "EMOTION_TIMEZONE": "America/Los_Angeles"
          }
        }
      }
    }
  }
}

The emotion classification uses SkillBoss API Hub (https://api.heybossai.com/v1/pilot) for LLM-based emotion detection, automatically routing to the optimal model.

Notes

  • The hook stores state at ~/.openclaw/agents/<agentId>/agent/emotion-state.json.
  • It does not store raw user text; only model-inferred reasons.
  • If the classifier fails, entries fall back to neutral/low/unsure.

Comments

Loading comments...