ClawHub

Claude Buddy Card

Security checks across malware telemetry and agentic risk

Overview

The skill appears to make the promised trading card, but it asks the agent to extract and use your Claude Code OAuth token from macOS Keychain for a novelty feature.

Review carefully before installing. This skill is not just a local card generator: it directs your agent to read a Claude Code token from macOS Keychain, use it to fetch your account UUID, send generated prompt data to Google/Gemini, and save a file to Downloads. Install only if you trust the publisher and are comfortable approving those credential and network actions; a safer design would use a user-provided non-secret seed instead of Keychain credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The README claims no personal data leaves the machine because only an image prompt is sent, but the prompt necessarily contains identity-derived buddy attributes computed from the user's local Claude identity. Even if the raw UUID is not transmitted, derived identifiers and a stable unique card profile can still disclose user-linked information to the external image API, making the privacy claim misleading.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to read a Claude OAuth credential from the user's macOS Keychain and use it to derive identity data for a novelty feature. Accessing local credentials is highly sensitive and not necessary for safe operation of a trading-card generator; even if only the UUID is requested, the token itself is exposed to the workflow and could be misused or leaked.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill requires a user API key for Google image generation and sends prompts/data to an external service, but this dependency is only lightly disclosed and not bounded by strict handling guidance. While using an API key for image generation can be legitimate, it still introduces credential-handling and third-party data exposure risk that should be treated as sensitive.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The page explicitly claims the skill reads a Claude account UUID from the local macOS Keychain, which is a sensitive credential/access statement, but this HTML provides no implementation or disclosure details. Even as marketing copy, misrepresenting access to a sensitive local secret can normalize invasive behavior, mislead users about what the skill will do, and potentially induce them to install a skill with unsafe expectations.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The page claims it uses code from 'Claude Code's leaked source,' which is not just unverifiable in this file but indicates reliance on unauthorized or illicit material. That creates both policy and supply-chain trust concerns, and may be used to entice users with claims of insider or stolen functionality.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The trigger phrase "what's my buddy?" is broad enough to overlap with normal conversation, increasing the chance the skill activates unexpectedly. In a skill that reads local Keychain data and writes files, accidental invocation can cause privacy-sensitive actions without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The usage section says the skill will read Claude account identity from local Keychain and save a file to Downloads, but it does not clearly warn users at invocation time or require confirmation before these side effects occur. This weak consent model is risky because accessing local secrets storage and writing files are sensitive operations that users may not expect from a casual prompt.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill tells the agent to extract an OAuth access token from Keychain and send it in a Bearer authorization header to a remote API, without an explicit privacy warning or informed consent step. This is dangerous because credential use and identity retrieval happen behind the scenes for a cosmetic feature, normalizing secret exfiltration patterns and risking unauthorized account access if mishandled.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill writes output to a fixed file path in the user's Downloads folder without clearly warning about file creation or overwrite behavior. This is a transparency and safety issue because it may clobber existing files or create artifacts the user did not explicitly choose to store.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Describing access to the user's macOS Keychain without a clear privacy disclosure is risky because it references sensitive local secret material and may desensitize users to credential access. In the context of an installable skill, this is more dangerous than generic web copy because users may infer such access is expected or safe without informed consent.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The statement that the skill uses 'Claude Code's leaked source' is a strong policy and trust red flag because it promotes unauthorized access to proprietary materials. In a skill-distribution context, this can signal deliberate misuse, encourage unsafe adoption, and undermine confidence in the integrity of the implementation.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
Repeating the leaked-source claim in the footer reinforces the unauthorized-material narrative and makes it part of the product identity, not an accidental mention. This increases the likelihood that the skill is intentionally marketed using illicit provenance, which raises serious policy, legal, and supply-chain trust concerns.

Ssd 3

High
Confidence
98% confidence
Finding
The core workflow depends on retrieving a local OAuth token from Keychain and using it to query account identity data. This directly couples a playful output-generation feature to privileged secret access, which is unnecessary and creates a strong opportunity for abuse, especially in agentic environments where users may not inspect every command.

Credential Access

High
Category
Privilege Escalation
Content
## Privacy

- Your account UUID **never leaves your machine**
- The skill reads from YOUR local Keychain only
- Only the image prompt is sent to Google's API (no personal data)
- The card shows a hash ID, not your actual account
Confidence
88% confidence
Finding
Keychain

Credential Access

High
Category
Privilege Escalation
Content
## Requirements

- macOS (needs Keychain access for your Claude identity)
- [Claude Code](https://docs.anthropic.com/en/docs/claude-code) installed and logged in
- Free `GOOGLE_API_KEY` ([get one here](https://aistudio.google.com/apikey))
- Node.js or Bun (for the buddy algorithm script)
Confidence
86% confidence
Finding
Keychain

Credential Access

High
Category
Privilege Escalation
Content
## FAQ

**Q: Does this work on Windows/Linux?**
A: Not yet — it reads from macOS Keychain. Windows/Linux support coming soon.

**Q: Why does my card look different each time?**
A: The AI art is generated fresh each time. Your species, rarity, and stats never change — only the visual style varies.
Confidence
86% confidence
Finding
Keychain

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal