OpenClaw Buddy
Security checks across malware telemetry and agentic risk
Overview
This skill appears to generate a virtual pet from a user identifier using a local script, with no evidence of credentials, network access, persistence, or destructive actions.
This looks benign for a fun deterministic buddy generator. Be aware that it uses a stable user ID or custom seed and runs a local Node script; do not enter private IDs unless you are comfortable with that, and treat the ID as data rather than unsafe shell text.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked, the agent runs the packaged script locally with your ID or custom seed.
The skill invokes a local command and substitutes a user or platform ID. This is purpose-aligned, but custom user-provided strings should be passed as a safe argument rather than interpolated unsafely into a shell command.
node ~/.openclaw/workspace/skills/openclaw-buddy/scripts/buddy.js "<user_id>"
Only install if you are comfortable running the included script, and ensure implementations pass the ID as an argument or escape it safely.
A stable identifier may be used locally to produce the same buddy each time.
The skill uses a stable account or platform identifier as the deterministic seed. This is disclosed and does not request credentials or account privileges.
Feishu: Use sender's `open_id` ... Discord/Telegram/etc.: Use the sender's platform user ID
Avoid providing IDs you consider private; use a custom string or fallback value if you do not want a platform ID used.