Back to skill
Skillv1.0.0
ClawScan security
Buddy Skill Creator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 4, 2026, 8:04 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill does what it says: it parses local chat logs and photos and uses the EvoLink API to generate persona + memory files; requested binaries and env var align with that purpose, but it legitimately processes sensitive personal data (chat logs, EXIF GPS) which will be sent to a third‑party API.
- Guidance
- This skill is internally consistent and appears to implement its described function. Important things to consider before installing or using it: 1) It parses local chat exports and photos and will send parsed text and extracted metadata (including possible EXIF GPS coordinates) to the EvoLink API endpoint (https://api.evolink.ai) using the EVOLINK_API_KEY — so any third‑party personal data will be transmitted to that service. 2) If you plan to import chat logs of real people, obtain their consent and consider redacting names, phone numbers, or locations first. 3) If you want to avoid sending raw material off‑site, use the pure‑imagination mode or redact files before import; verify what data the skill is sending in a safe test run. 4) Review EvoLink’s privacy policy and consider using a dedicated API key with limited billing/quotas. 5) The included Python tools are readable and local; if you are concerned, inspect/modify them (e.g., remove GPS extraction) before running. If you want, I can point out the exact lines where data is packaged and sent to the EvoLink API so you can review or redact them.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: tools for parsing WeChat/QQ/social exports and photos, persona/vibe prompts, and a writer to produce buddy SKILLs. Required binary python3 and EVOLINK_API_KEY are appropriate for calling EvoLink and running the included Python tools.
- Instruction Scope
- noteRuntime instructions explicitly read user-provided chat exports, screenshots, and photos and run local parsers (wechat_parser.py, qq_parser.py, social_parser.py, photo_analyzer.py). Parsed content is sent to the EvoLink API for analysis. This is coherent with the stated purpose but carries privacy implications: third‑party content (including raw chat text and extracted EXIF/GPS) will be transmitted unless the user redacts it.
- Install Mechanism
- okNo remote download/install spec — instruction-only skill with included Python scripts. Dependencies are minimal (Pillow optionally listed in requirements.txt). No suspicious external installers or URL downloads are present.
- Credentials
- noteOnly EVOLINK_API_KEY is required and declared as primary — appropriate for a cloud API service. No other secrets or unrelated env vars are requested. The skill will send user data to api.evolink.ai using that key; this is expected but a privacy-sensitive operation, especially for real-person chat logs and photo GPS.
- Persistence & Privilege
- okalways is false. The skill writes generated buddy files under ./buddies/{slug}/ (skill-local) and manages versions there. It does not request system-wide or other-skill config, nor claim permanent elevated privileges.