ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

buddy

v1.0.0

Buddy 宠物系统 — 孵化、互动、查看你的虚拟宠物伙伴

0· 91·0 current·0 all-time
by@edwin19861218

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for edwin19861218/openclaw-claude-buddy.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "buddy" (edwin19861218/openclaw-claude-buddy) from ClawHub.
Skill page: https://clawhub.ai/edwin19861218/openclaw-claude-buddy
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: node
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install openclaw-claude-buddy

ClawHub CLI

Package manager switcher

npx clawhub@latest install openclaw-claude-buddy
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (virtual pet) matches the code: it deterministically generates and persists a buddy per-user and renders ASCII output. Required binary (node) is appropriate. However, the skill accesses ~/.openclaw/identity/device.json to derive a deviceId for deterministic generation; the registry metadata declared no required config paths, so the code is doing more filesystem access than the manifest explicitly promised.
Instruction Scope
SKILL.md states the /buddy command executes scripts/hatch.js and that the script 'reads user configuration' and 'loads persisted Soul' — which is accurate. The runtime instructions are scoped to local reads/writes and rendering. They do not perform network calls. The mismatch is that SKILL.md and registry metadata do not list the exact files read/written (.openclaw/identity/device.json, .openclaw/extensions/buddy-companion/soul.json and mute.json), so users may not realize these specific paths are touched.
Install Mechanism
No install spec or external downloads; the skill is instruction-only with an included script. No network fetches or archive extractions are present. This is a low-risk install mechanism (code is bundled, not pulled from arbitrary URLs).
!
Credentials
The registry declares no required environment variables, yet the code will accept process.env.BUDDY_USER_ID as an override for user identity. The code also reads ~/.openclaw/identity/device.json (to get deviceId). Requesting/reading an identifier file and providing an undocumented env override increases privacy sensitivity and is not documented in the skill metadata.
Persistence & Privilege
The skill writes only to its own directory under ~/.openclaw/extensions/buddy-companion (soul.json and mute.json) and does not request elevated privileges or set always:true. Writing its own extension data is expected for persistent state.
What to consider before installing
This skill appears to be a local virtual-pet utility and contains no network calls or hidden endpoints, but it will read ~/.openclaw/identity/device.json (to derive a per-device user id) and create/write ~/.openclaw/extensions/buddy-companion/soul.json and mute.json in your home directory. The code also honors an undocumented BUDDY_USER_ID environment variable. Before installing, consider: 1) Inspect ~/.openclaw/identity/device.json to see whether it contains any sensitive or identifying information you don't want read. 2) If you prefer not to expose your device id, run the skill in a restricted environment or set BUDDY_USER_ID to a non-sensitive value. 3) Confirm you trust the skill source because it will create files under your home directory. 4) If you expect sprite/asset files, note the package does not include sprites.js (it falls back to a simple renderer). If you want higher assurance, request the publisher to declare the exact config paths and env variables in the skill metadata or provide the skill from a verifiable source.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsnode
latestvk979vjax6ka8sne9y1xr6s8j8d84g7cb
91downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@edwin19861218
latest
Download

Buddy System

管理你的 OpenClaw Buddy — 一个独特的虚拟宠物伙伴。

每个用户根据 ID 确定性生成一个独一无二的 buddy,拥有稀有度、物种、属性和性格。

物种列表

| 🦆 duck | 🪿 goose | 🫧 blob | | 🐱 cat | 🐉 dragon | 🐙 octopus | | 🦉 owl | 🐧 penguin | 🐢 turtle | | 🐌 snail | 👻 ghost | 🦎 axolotl | | 🐹 capybara | 🌵 cactus | 🤖 robot | | 🐰 rabbit | 🍄 mushroom | 💩 chonk |

命令

/buddy

首次使用:孵化你的 buddy。已孵化:显示 buddy 信息和 ASCII 精灵图。

/buddy pet

和你的 buddy 互动,它会做出可爱反应。

/buddy stats

查看 buddy 的详细属性面板(含 ASCII 精灵图、稀有度星级、属性条)。

/buddy mute

静音 buddy 的自动反应消息。

/buddy unmute

取消静音,恢复 buddy 的自动反应。

实现

当用户调用 /buddy 命令时,执行 {baseDir}/scripts/hatch.js 脚本。 脚本读取用户配置,确定性生成 buddy(物种、稀有度、属性、眼睛、帽子),加载持久化的 Soul(名字、性格),渲染 ASCII 精灵图,输出纯文本。

Comments

Loading comments...