Openclaw

Security checks across malware telemetry and agentic risk

Overview

EmotionWise is a narrow API skill that sends user-provided text to the documented EmotionWise service for emotion and sarcasm analysis.

Install only if you trust EmotionWise and the publisher. Keep the API key private, and avoid submitting confidential, regulated, personal, or internal business text unless you intend for that text to be processed by EmotionWise.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly encourages sending arbitrary user text, including batches of support comments, to a third-party API but does not provide a clear user-facing privacy or data-sharing warning. In a text-analysis skill, this matters because users may submit sensitive personal, customer, or internal business content without realizing it leaves the local environment and is processed by an external service.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly sends arbitrary user-provided text to a third-party API, but the skill description and usage guidance do not warn users that their content leaves the local system. This creates a real privacy and data-handling risk because users may submit sensitive messages, conversations, or personal data without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal