ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Buddy Skill Creator

v1.0.0

Distill your ideal buddy into an AI Skill. Import chat history, photos, social media posts, or just describe your dream buddy — generate Vibe Memory + Person...

0· 31·0 current·0 all-time
by@evolinkai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: tools for parsing WeChat/QQ/social exports and photos, persona/vibe prompts, and a writer to produce buddy SKILLs. Required binary python3 and EVOLINK_API_KEY are appropriate for calling EvoLink and running the included Python tools.
Instruction Scope
Runtime instructions explicitly read user-provided chat exports, screenshots, and photos and run local parsers (wechat_parser.py, qq_parser.py, social_parser.py, photo_analyzer.py). Parsed content is sent to the EvoLink API for analysis. This is coherent with the stated purpose but carries privacy implications: third‑party content (including raw chat text and extracted EXIF/GPS) will be transmitted unless the user redacts it.
Install Mechanism
No remote download/install spec — instruction-only skill with included Python scripts. Dependencies are minimal (Pillow optionally listed in requirements.txt). No suspicious external installers or URL downloads are present.
Credentials
Only EVOLINK_API_KEY is required and declared as primary — appropriate for a cloud API service. No other secrets or unrelated env vars are requested. The skill will send user data to api.evolink.ai using that key; this is expected but a privacy-sensitive operation, especially for real-person chat logs and photo GPS.
Persistence & Privilege
always is false. The skill writes generated buddy files under ./buddies/{slug}/ (skill-local) and manages versions there. It does not request system-wide or other-skill config, nor claim permanent elevated privileges.
Assessment
This skill is internally consistent and appears to implement its described function. Important things to consider before installing or using it: 1) It parses local chat exports and photos and will send parsed text and extracted metadata (including possible EXIF GPS coordinates) to the EvoLink API endpoint (https://api.evolink.ai) using the EVOLINK_API_KEY — so any third‑party personal data will be transmitted to that service. 2) If you plan to import chat logs of real people, obtain their consent and consider redacting names, phone numbers, or locations first. 3) If you want to avoid sending raw material off‑site, use the pure‑imagination mode or redact files before import; verify what data the skill is sending in a safe test run. 4) Review EvoLink’s privacy policy and consider using a dedicated API key with limited billing/quotas. 5) The included Python tools are readable and local; if you are concerned, inspect/modify them (e.g., remove GPS extraction) before running. If you want, I can point out the exact lines where data is packaged and sent to the EvoLink API so you can review or redact them.

Like a lobster shell, security has layers — review code before you run it.

latestvk97157pv403990da0wtrev26kn847zb9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3
EnvEVOLINK_API_KEY
Primary envEVOLINK_API_KEY

Comments