ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SoloBuddy

v1.0.0

Build-in-public companion for indie hackers — content workflow, Twitter engagement, project soul creation. A living assistant, not a tool.

0· 2.1k·6 current·6 all-time
by@humanji7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (build‑in‑public content workflows, Twitter engagement, project 'soul' creation) matches most instructions (reading/writing files in a configured project folder, generating posts, voice profiles, scanning README/.md files). Minor mismatch: metadata and README declare 'gh' (GitHub CLI) as required, but the runtime examples use plain git commands and the SKILL.md doesn't actually call 'gh'. 'bird' (Twitter CLI) is optional and only referenced by the monitor module — acceptable but worth noting.
!
Instruction Scope
Core content workflows operate on user-chosen dataPath (reading/writing backlog, drafts, session logs) which is appropriate. However the Twitter Monitor module instructs creating scripts under ~/.clawdbot/scripts and a LaunchAgent in ~/Library/LaunchAgents to run periodically, logs to /tmp, and uses the 'bird' CLI to fetch tweets. It also shows storing Twitter tokens (AUTH_TOKEN, CT0) in ~/.zshrc. Installing background agents and asking the agent to run system-level scheduling is scope expansion beyond a passive content assistant and should be reviewed by the user before enabling.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code — lowest install risk. The README suggests installing via 'npx clawdhub@latest install solobuddy' (user-run), but the skill itself does not automatically download or extract code. Risk comes from follow-up instructions that ask users to create scripts/LaunchAgents on their system if they enable the optional monitor.
Credentials
The skill declares no required environment variables or credentials, which fits most of its functionality. The optional Twitter monitor, however, implies use of Twitter auth tokens (AUTH_TOKEN, CT0) stored in ~/.zshrc and the bird CLI — these are proportional to monitoring Twitter but are sensitive and the guidance suggests storing them in shell rc files (not best practice). No other unrelated credentials are requested.
!
Persistence & Privilege
always:false and no explicit persistent install are fine. But the documentation and modules explicitly instruct creating persistent background scripts and a LaunchAgent to run the twitter-monitor on an interval. That grants ongoing background activity and file writes under user home and /tmp when the optional module is enabled — a higher persistence/privilege level than passive assistants and therefore requires explicit user review.
What to consider before installing
What to watch for before installing/using SoloBuddy: - Core content features (backlog, drafts, generation) are coherent and operate only in a user-configured folder (dataPath). Those parts are low-risk if you point dataPath to a directory you control. - The optional Twitter Monitor is the biggest red flag: it instructs creating scripts in ~/.clawdbot/scripts, placing a LaunchAgent in ~/Library/LaunchAgents, writing logs to /tmp, and using the 'bird' CLI plus Twitter auth tokens (AUTH_TOKEN, CT0). If you enable this, inspect every script and the plist before running them. Prefer not to store secrets in plain ~/.zshrc; use a more secure credential store where possible. - The skill lists 'gh' as required but examples use git; verify whether you need to install 'gh' for any feature you plan to use. Don't blindly run install or bootstrap commands — inspect them. - The skill will read files under the configured dataPath and (for the Soul Wizard) will run a find on the project path you provide. Only point it at repositories you want it to analyze, not at your entire home directory. - If you plan to use Telegram/Clawdbot integration or automatic notifications, confirm how messages are delivered (clawdbot CLI) and what data is sent externally. Recommendation: treat the content-generation features as generally safe to try in a sandboxed project folder. If you want Twitter monitoring, review and audit the monitor scripts and the LaunchAgent plist, avoid storing tokens in shell rc files, and only enable background agents if you accept the ongoing activity and have inspected the code.

Like a lobster shell, security has layers — review code before you run it.

build-in-publicvk979yb55dfrh75c0aeatj1v2357zacwmlatestvk979yb55dfrh75c0aeatj1v2357zacwm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎯 Clawdis
Binsgh

Comments