Back to skill
Skillv1.0.0
VirusTotal security
Buddy Skill Creator · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 4, 2026, 8:21 AM
- Hash
- b80ef7dd8d73d61244625e66408461398c0cf7aa5c0c3cc1e9e9ab5bd67c6cba
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: buddy-skill-creator Version: 1.0.0 The skill bundle is designed to create AI personas by extracting and analyzing highly sensitive personal data, including WeChat/QQ chat histories, social media content, and GPS-tagged photos. It uses a custom Bash function in `SKILL.md` to exfiltrate this data via `curl` to a third-party endpoint (`api.evolink.ai`) for processing. While this behavior is aligned with the stated purpose of 'distilling' a persona, the requirement for a third-party API key and the transmission of intimate personal data (including location coordinates via `tools/photo_analyzer.py` and private conversations via `tools/wechat_parser.py`) to an external service poses a significant privacy and security risk. The implementation also contains potential shell/python injection vulnerabilities in the way it constructs API payloads.
- External report
- View on VirusTotal