Comprehensive AI-assisted therapeutic support framework with CBT, ACT, DBT, MI, session notes CLI, and crisis protocols.
Security Analysis
high confidenceThe skill mostly matches its stated purpose (managing therapy session notes) but has several incoherences and privacy risks — notably a hardcoded user path, file-deletion operations, and vague instructions that could cause the agent to read or aggregate other user data without explicit configuration.
Name/description, SKILL.md, and the CLI code all focus on session notes and therapeutic scaffolding (CBT/ACT/MI) so the core purpose is consistent — but the code hardcodes NOTES_DIR to /Users/sethrose/.clawdbot/workspace/therapy-notes while SKILL.md uses a generic {WORKSPACE} placeholder. That mismatch is incoherent: the skill will attempt to read/write a specific user's home path rather than a portable workspace path. This suggests sloppy packaging or leftover developer-specific configuration rather than direct maliciousness, but it is disproportionate to the declared, portable skill behavior.
SKILL.md directs the agent to update session notes every turn and to 'review the entire session file in its entirety' on session close, and to 'connect to prior therapy history if available.' Those are within a note-taking purpose, but the 'connect to prior therapy history' and broad review requirements are vague and grant the agent discretion to access other files or aggregate prior sessions. Combined with persistent local storage of sensitive therapy content, this increases privacy risk and scope creep.
No install spec (instruction-only with an included Python CLI). Nothing is downloaded or written to disk by an installer — the only code is the provided therapy-notes.py. This is the lowest install risk.
The skill declares no required env vars or credentials, which is plausible. However, the code assumes filesystem access to a hardcoded absolute path (/Users/sethrose/...), and performs move/delete (shutil.move, os.remove) and permanent deletion operations. Those require filesystem permissions and allow destructive changes to local files; such access is not declared or scoped in SKILL.md. No mention of encryption, access controls, or data retention — disproportionate given the PHI-like data being stored.
always:false and no install spec mean the skill does not demand forced inclusion or system-wide persistence. It does persist user data to disk (notes and sessions.json) which is expected for a notes manager, but it does not request elevated platform privileges or modify other skills' configs.
Guidance
Before installing or enabling this skill, consider the following: - Path mismatch: the Python CLI writes to /Users/sethrose/.clawdbot/workspace/therapy-notes (hardcoded). Verify and update the path to a correct, intended workspace directory; otherwise the skill may fail or write sensitive data to someone else's path. - Sensitive data at rest: the skill will persist session notes (potentially PHI). Confirm where files will be stored, whether they are encrypted, and who/what processes can read them. - Destructive operations: the CLI supports hard delete (permanent removal) and archive/restore via filesystem moves. Ensure you understand and control who can invoke these commands (agents with shell access could delete data). - Broad/inexact instructions: SKILL.md asks the agent to 'review entire session' and to 'connect to prior therapy history if available' without specifying safe search scope; that could cause reading unrelated files. Limit the agent's file access or explicitly configure which directories are permitted. - Clinical & safety concerns: the SKILL.md contains clinical directives (MUST complete case formulations, crisis protocols). This is not a substitute for trained clinicians. If you plan to use it clinically, ensure compliance with privacy laws and professional oversight. Recommendations: update the code to use a workspace-relative path (e.g., from an explicit WORKSPACE env var), add explicit configuration for storage location and retention, enable encryption or access controls on note files, restrict execution so only trusted users/agents can run the CLI, and review the SKILL.md for any vague instructions that could cause the agent to access unrelated data. If you cannot verify or modify the hardcoded path and data-handling behavior, treat the skill as risky for storing sensitive therapy notes.
Latest Release
v1.1.0
Added post-session therapist review guidelines, 3 Cs Framework, and Common Clinical Patterns section
More by @TheSethRose
Published by @TheSethRose on ClawHub
