Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Emotion State
v1.2.0NL emotion tracking + prompt injection via OpenClaw hook
⭐ 6· 2.6k·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description (emotion tracking + injecting an emotion_state block into the system prompt) aligns with the included hook code. However the registry declares no required environment variables while the hook clearly expects and uses many (OPENAI_API_KEY, EMOTION_CLASSIFIER_URL, etc.). That discrepancy is incoherent and surprising to an installer.
Instruction Scope
The SKILL.md and HOOK.md instruct the agent to copy/enable a hook that reads session messages and injects an emotion_state block into the system prompt. The hook will transmit user/agent message text to an external classifier endpoint or OpenAI for classification (network calls). The SKILL.md claims it 'does not store raw user text' but the code sends raw text externally — this is a scope mismatch and a potential data-exfiltration vector. Injecting content into the system prompt is powerful and can change agent behavior.
Install Mechanism
No remote install or downloads are used; this is an instruction-only skill with a bundled hook file you copy into your workspace. That limits installer-level risk (nothing fetched from arbitrary URLs).
Credentials
Registry metadata lists no required env vars, but the hook expects multiple configuration variables (OPENAI_API_KEY, OPENAI_BASE_URL, EMOTION_CLASSIFIER_URL, EMOTION_* settings). Requiring an OpenAI API key (or any classifier endpoint) is a powerful permission because it causes user message text to be sent off-host. The number and sensitivity of env vars is disproportionate to what's declared.
Persistence & Privilege
The hook writes per-agent state to ~/.openclaw/agents/<agentId>/agent/emotion-state.json and injects a block into the system prompt during bootstrap. It does not request permanent 'always' inclusion, but system-prompt modification is an elevated capability — expected for hooks but worth noting because it can influence model behavior.
Scan Findings in Context
[system-prompt-override] expected: The hook intentionally injects an emotion_state block into the system prompt (this is its stated purpose), so the finding is expected. However system-prompt injection is powerful and combined with external classifier calls and the mismatch in declared env vars increases risk.
What to consider before installing
This skill will read session messages, keep a per-agent emotion_state file under ~/.openclaw/agents/<agentId>/agent/emotion-state.json, and may send raw message text to an external classifier or OpenAI if configured. The registry omitted required env vars, and the SKILL.md's claim that it 'does not store raw user text' does not prevent it from transmitting raw text to external services. Before installing: (1) review the handler.ts code yourself or with a trusted developer; (2) do not provide an OPENAI_API_KEY (or any classifier URL) unless you trust the operator of that endpoint; (3) if you must test, run in an isolated agent/workspace with non-sensitive data; (4) inspect the system-prompt content the hook injects to ensure it doesn't contain instructions you don't want the model to follow. If you cannot audit the code or you need to protect sensitive user messages, avoid enabling this hook.Like a lobster shell, security has layers — review code before you run it.
emotionvk97f4nbqghdt6vhrp0zm628dr180jbzhlatestvk974chz56z53dsea6a1wpdyx9s80jyxknlpvk97f4nbqghdt6vhrp0zm628dr180jbzhsentimentvk97f4nbqghdt6vhrp0zm628dr180jbzh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.