ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Buddy

v1.0.0

Generate a unique deterministic virtual pet buddy based on your user ID, featuring species, rarity, stats, cosmetics, and personality in ASCII art format.

0· 37·0 current·0 all-time
byRong@kylinr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the provided files: SKILL.md describes deterministic buddy generation and the repo contains a JS generator implementing that logic. One minor mismatch: SKILL.md and scripts/buddy.js expect Node to be available and instruct running node <path>/buddy.js, but the registry metadata lists no required binaries. This is a bookkeeping inconsistency (Node should be declared) but does not indicate malicious behavior.
Instruction Scope
Runtime instructions are narrow: obtain a user ID from message context or user input, run the bundled buddy.js with that ID, then send the generated stdout card to the user. The instructions only reference message-sender IDs (open_id or platform user ID) which is appropriate for the stated purpose. There are no instructions to read arbitrary files, access credentials, or transmit data to external endpoints.
Install Mechanism
No install spec; this is instruction-only with an included JavaScript file. No downloads, external packages, or archive extraction are present. The skill will require a Node runtime to execute the included script (not declared in metadata), but it does not attempt to install software itself.
Credentials
The skill declares no required environment variables, no credentials, and the visible code does not access environment secrets or config paths. The only input needed is the user ID (from message context or manual input), which is proportionate to the functionality.
Persistence & Privilege
The skill is not always-enabled and does not request special persistent privileges. It does not modify other skills or system configurations (based on provided files). Autonomous invocation is allowed by platform defaults but is normal for a user-invocable skill of this type.
Assessment
This skill appears coherent and low-risk: it deterministically generates a virtual pet from a user ID using the included JS file and does not request credentials or network access. Before installing, verify two simple points: (1) ensure the agent environment has Node.js available (the SKILL.md instructs running node but metadata didn't declare Node as a required binary), and (2) inspect the remainder of scripts/buddy.js (the provided snippet was truncated) to confirm there are no unexpected network calls, child_process.exec/spawn usage, or filesystem operations. Also consider the privacy implication of letting users supply arbitrary IDs (the skill allows checking other people's IDs) — decide whether you want to restrict that behavior in your deployment. If Node is not present or you cannot inspect the full file, treat the Node requirement / truncated file as an installation blocker.

Like a lobster shell, security has layers — review code before you run it.

latestvk9719x9p01eb8myn8fe10xh85s841thc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments