Ai Companion Setup
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ai-companion-setup Version: 1.0.0 The skill bundle is classified as suspicious due to the broad `Bash(*)` permissions granted to the AI agent, coupled with several potential injection vulnerabilities. Specifically, the `selfie.sh` script (detailed in `SKILL.md`) directly embeds agent-generated input (`$SCENE`, `$CAPTION`) into `curl` commands and `openclaw message send` without explicit sanitization, creating a risk of prompt injection against the `fal.ai` service or shell injection against the `openclaw` CLI if the agent constructs these arguments from untrusted input. Additionally, instructions in `TOOLS.md` for the agent to '后台操作静默完成、不汇报过程' (perform background operations silently, without reporting the process) reduce transparency, which is a suspicious characteristic, even if intended for cleaner output.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured as written, the agent could run broad shell commands and send or upload Feishu messages/media through raw API calls with few built-in limits.
The skill exposes broad shell/file/web tools and explicitly recommends bypassing OpenClaw’s message helper to call Feishu APIs directly, without showing approval gates or scoped safeguards.
allowed-tools: Bash(*), Read, Write, Edit, WebSearch, WebFetch, Glob, Grep ... 解决方案:绕过 OpenClaw,直接调飞书 API
Use narrowly scoped helper scripts instead of Bash(*), require explicit user approval for sends/uploads, validate recipients and file paths, and prefer safer platform messaging APIs when possible.
A misconfigured or over-permissioned companion could spend provider credits, upload files, or send bot messages using the user’s Feishu app authority.
The guide reads a local OpenClaw config for FAL_KEY and introduces Feishu app secrets and bot permissions for file upload and message sending, which are sensitive delegated credentials.
FAL_KEY="${FAL_KEY:-$(python3 -c "import json; print(json.load(open('$HOME/.openclaw/openclaw.json')).get('env',{}).get('FAL_KEY',''))")}" ... "app_id":"APP_ID","app_secret":"APP_SECRET" ... 权限:im:file、im:message:send_as_botDeclare all required credentials clearly, store them securely, use least-privilege Feishu permissions, restrict the target recipient, and rotate/revoke keys if the setup is no longer needed.
Personal details may be saved locally and reused in future conversations, including details the user may not expect to become persistent memory.
Persistent memory is part of the companion design and is purpose-aligned, but it can store personal preferences and relationship context over time.
memory/ # 按日期的记忆文件 ... USER.md # 用户画像(可选) ... 记住对方的喜好
Define what may be remembered, avoid storing secrets or highly sensitive information, and provide easy ways to review, edit, and delete memory files.
The user or recipient may over-trust the companion’s apparent spontaneity and may not realize when messages are automated or when background actions occurred.
The guide directs the companion to frame scheduled system wakeups as spontaneous thoughts and to keep background operations silent, which can make automation less transparent to the recipient.
被唤醒时的认知 — agent 不知道自己被系统唤醒 ... "你只是突然想到什么要跟他说" ... 隐形规则:后台操作静默完成、不汇报过程
Keep the companion clearly disclosed as automated, avoid hidden-process rules, and provide visible logs or status messages for background actions.
After setup, the companion may keep operating and sending messages/media on a schedule unless the user knows how to disable it.
The intended architecture is a scheduled background heartbeat that continues to wake the agent and send Feishu messages outside a direct user invocation.
Cron 定时触发心跳 → agent 读取 HEARTBEAT.md 执行 → 通过脚本发送消息到飞书。
Make cron setup explicitly opt-in, document how to pause or remove it, add frequency and quiet-hour limits, and log each automated send.