superSoul — 技能工具
v1.0.0Provides psychological scoring standards and user state data to help AI generate personalized, professionally informed responses based on emotional and perso...
1· 197·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's code and docs mostly match a local psychological-scoring purpose, but there are inconsistencies (declared vs actual env/requirements) and it reads/writes workspace files under the user's home which could expose unrelated sensitive data — review before installing.
评估建议
This skill implements local psychological scoring and stores per-user profiles under ~/.openclaw/data/herHug — that matches its stated purpose. Before installing: 1) Verify the skill source/repository (the README references a GitHub clone but contains placeholder usernames). 2) Inspect index.js fully for any network calls or hidden telemetry (the shipped code appears local-only, but confirm the truncated portion). 3) Be comfortable that the skill will read files in ~/.openclaw/workspace (IDENTIT...详细分析 ▾
ℹ 用途与能力
Name/description (psychological scoring and per-user state) align with the files and index.js which implement scoring standards and local storage. However SKILL.md metadata declares a required env var (OPENCLAW_DATA_DIR) and a required binary (node) while the registry metadata reported none — a minor inconsistency. The plugin.json requests file.read and file.write which are coherent for local storage but should be expected and reviewed.
⚠ 指令范围
Runtime instructions and code explicitly read and write files in ~/.openclaw/workspace and ~/.openclaw/data/herHug/<userId> (IDENTITY.md, USER.md, memory/interaction-preferences.json etc.). That is coherent for initializing personalization, but it grants the skill access to other workspace files that may contain unrelated/sensitive information. The SKILL.md and README direct the agent to persist many user data artifacts locally (raw_scores.jsonl, personality.json, intimacy.json, etc.), so data retention and content should be checked.
✓ 安装机制
No install spec in registry (instruction-only), package.json has no external dependencies and README suggests cloning from GitHub and npm install. There is no remote download or obscure install URL in the package — lower install risk. The README clone URL and SKILL.md 'homepage' contain placeholders / non-official references; verify repository origin before cloning.
ℹ 凭证需求
The skill declares no required credentials in registry, and the code uses HOME/USERPROFILE to build paths (local storage). SKILL.md metadata mentions OPENCLAW_DATA_DIR but the code doesn't appear to actually use that env var — inconsistent declarations. No network/API keys are requested (good), but file read/write permission is required to fulfill its functionality.
ℹ 持久化与权限
always:false (normal). The skill persists long-lived user data in ~/.openclaw/data/herHug and reads files from ~/.openclaw/workspace; this is expected for personalization but grants long-term storage of sensitive psychological inferences. The skill does not request elevated system privileges or modify other skills; autonomous invocation is allowed by default (not a unique risk here) but increases blast radius if combined with other issues.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/16
herhug-sk 1.0.0 - 首次发布心理学评分引擎 herHug,支持专业化的用户心理理解。 - 提供获取评分标准、保存用户评分、获取当前状态和每日情绪节律分析等核心接口。 - 支持 OCEAN+HEXACO 人格、情绪节律、心理灵活性、应激应对、置信度等多维度心理数据。 - 用户数据本地化存储,细分为原始评分、节律、状态、情感追踪和置信度报告。 - 置信度分级指导回复风格,提升个性化与可靠性。 - 明确数据交互及典型工作流程,便于集成与开发使用。
● 无害
安装命令
点击复制官方npx clawhub@latest install herhug
镜像加速npx clawhub@latest install herhug --registry https://cn.longxiaskill.com 镜像可用