Huahua Spirits

This skill appears to do exactly what it claims: local, deterministic ASCII 'spirit' companions. Key points to consider before installing: - Privacy: the skill persistently stores companion data in assets/companion.json inside the skill folder, including bond, lastInteraction timestamps and short snippets of user messages (hook-react records up to 50 items). If you operate in a shared environment, these saved snippets could be visible to others with access to the agent's filesystem. - Identity seed: the recommended seed is a platform user ID (Feishu open_id, Telegram/Discord ID). Passing platform IDs will deterministically bind that identity to a spirit. If you do not want platform IDs saved or linked, use a less-sensitive seed (display name or a hashed identifier under your control). - LLM call: soul.js prompt prints a JSON prompt the agent should send to an LLM to generate name/personality; the package does not perform that network call itself. Ensure your agent sends only the intended prompt and does not include extra secrets when invoking the model. - No network exfiltration: the included scripts (generate.js, render.js, display.js, buddy.js, soul.js) perform only local file I/O and random/stat generation; there are no outgoing network calls or child_process/exec uses in the provided code. If you modify the skill, re-check for external calls. - Per-user isolation: if multiple users share a single agent instance, consider how companion.json will be managed (the skill stores one companion.json in its assets folder). You may want to maintain per-user companion files or ensure the agent uses per-user baseDir separation. If these behaviors (local persistent storage, deterministic binding to a seed ID, and silent recording of short positive-message snippets) are acceptable for your deployment, the skill is coherent and reasonable to install. If you need stronger privacy guarantees, request changes (per-user files, encryption, disable hook-react recording, or use ephemeral seeds).