Emotion State
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill Suspicious High-Entropy/Eval files: 1 The skill is classified as suspicious due to its network capabilities and broader file system access. It makes network calls to user-configurable external endpoints (`EMOTION_CLASSIFIER_URL`) or OpenAI, sending user and agent message content for emotion classification, which is a risky capability if a malicious URL is configured by the user. Additionally, the hook reads state files of other agents from the OpenClaw state directory (`~/.openclaw/agents/<otherAgentId>/agent/emotion-state.json`), which represents a broader scope of file system access than strictly its own agent's state. While the `SKILL.md` mentions 'prompt injection', the code demonstrates this is for functional context injection of classified emotions, not malicious manipulation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be biased by inferred emotional summaries, including potentially misleading or poisoned content from prior conversations.
This shows the hook automatically places persisted, generated emotion content into the system prompt, which is a high-authority context that can affect agent behavior.
stores them in a per-agent state file, and injects an `emotion_state` block into the system prompt during bootstrap.
Only enable this if you want emotion summaries to influence the agent. The hook should clearly mark the block as non-instructional data, sanitize/limit generated reasons, and provide an easy way to disable and clear it.
Recent user or assistant messages, which may contain private information, can be sent to OpenAI or any configured classifier URL.
The hook sends message text to either a configured classifier endpoint or OpenAI for classification, creating an external data boundary for chat contents.
async function classifyWithEndpoint(url: string, payload: { text: string; role: string }) { ... body: JSON.stringify(payload) ... } ... { role: "user", content: `Classify the emotion in this ${role} message:\n\n${text}` }Use only trusted classifier endpoints, avoid configuring untrusted OPENAI_BASE_URL or EMOTION_CLASSIFIER_URL values, and make the external data sharing explicit to users before enabling the hook.
Emotional interpretations about a user may persist across sessions and appear in future agent context.
The skill stores persistent emotional inferences. Even without raw text, inferred reasons can reveal sensitive context and can be reused in later prompts.
Stores per-user emotion state across sessions in the agent state directory. ... It does not store raw user text; only model-inferred reasons.
Review the stored file, limit history size, and provide a documented way to clear the state when users do not want this memory retained.
Users may not realize from the registry metadata that enabling the hook can involve an OpenAI-compatible API key.
The skill uses an API credential for classification even though the registry metadata lists no primary credential or required environment variables.
"OPENAI_API_KEY": "YOUR_KEY", "OPENAI_BASE_URL": "https://api.openai.com/v1"
Declare the credential and environment variables in metadata, and scope the key to the minimum provider access needed.
Users may have less installation-time visibility into what runtime support and hook behavior are required.
The hook declares a runtime binary requirement and automatic bootstrap event, while the registry requirement section says no required binaries and there is no install spec.
metadata: { "openclaw": { "events": ["agent:bootstrap"], "requires": { "bins": ["node"] } } }Align registry metadata with the hook requirements and document that enabling the hook causes Node-based code to run at agent bootstrap.