Back to skill
Skillv0.1.2
ClawScan security
Openclaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 7:47 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions match its stated purpose (emotion/sarcasm analysis via EmotionWise) and it only needs a single API key; main risk is that user text is sent to a third‑party API and the key is stored in your OpenClaw config.
- Guidance
- This skill appears to do what it says: it sends user-supplied text to EmotionWise's API and returns emotion/sarcasm results. Before installing: (1) confirm you trust the external service (https://emotionwise.ai) and its privacy policy, because any text you analyze (including sensitive info) will be transmitted offsite; (2) protect the EMOTIONWISE_API_KEY stored in your OpenClaw config (treat it like a secret); (3) consider using a scoped or revocable API key and test with non-sensitive data first; (4) verify the repo/homepage if you need provenance (README references a GitHub repo but the skill source is marked unknown). If you need stricter privacy, do not install or avoid sending PII to the skill.
- Findings
[no_regex_findings] expected: The package is instruction-only with no code files, so the static regex scanner had nothing to analyze. This is expected but means runtime behavior is defined entirely by the SKILL.md and runtime API calls.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, README, and examples all consistently describe calling EmotionWise's emotion-detector endpoint. The only required credential is EMOTIONWISE_API_KEY, which is appropriate for this purpose.
- Instruction Scope
- noteRuntime instructions are focused and only instruct the agent to POST the provided text to https://api.emotionwise.ai with the API key header. They do not instruct reading other files or unrelated environment variables. Important privacy note: whatever text the user supplies will be transmitted to the external service (no built-in redaction or privacy guidance in SKILL.md).
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. This minimizes on-disk execution risk because nothing is downloaded or executed by the install process.
- Credentials
- okOnly a single credential (EMOTIONWISE_API_KEY) is required and it's the declared primary credential. The README instructs storing it in the OpenClaw config (~/.openclaw/openclaw.json), which is expected but means the key will be present on disk and needs to be protected.
- Persistence & Privilege
- okSkill is not forced-always and does not request elevated platform privileges. It only requires enabling in the user's OpenClaw config to provide its API key — standard behavior for an API-based skill.