Security audit

Buddy

Security checks across malware telemetry and agentic risk

Overview

This is a local ASCII companion skill whose persistence and shell scripts match its stated purpose, with only low-impact state-management caveats.

Install this if you want a persistent chat companion and are comfortable with it reacting to common phrases and storing a small local buddy-state JSON file. Review or remove ~/.openclaw/workspace/buddy-state.json if you want to inspect or clear its saved state; avoid using the raw script helpers for manual edits unless you are comfortable with possibly corrupting or deleting the companion state.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script exposes broad, generic state mutation primitives (`update`, `restyle`, `rename`, `mood`, `stat`, `retire`, `delete`) against a JSON file without constraining which fields may be changed or enforcing companion-specific invariants. In a skill context, this enables unintended or abusive manipulation of persistent state beyond the narrow pet-companion behaviors described, which can be leveraged by other skill components to alter lifecycle, appearance, counters, or arbitrary top-level fields in ways users did not explicitly authorize.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The `update` command allows arbitrary top-level key/value writes based solely on caller input, which is more capability than a chat companion needs and creates an unnecessary generic state-editing surface. Even though this is local state rather than code execution, such unrestricted persistence can be abused to forge state, bypass intended progression, or inject misleading data consumed elsewhere in the skill.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill activates on very broad natural-language phrases like mentions of the companion, which can cause unintended invocation during ordinary conversation. That creates prompt-scope confusion and can lead to unwanted state changes, distracting outputs, or behavior that users did not explicitly request.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The keyword lists include many common terms such as greetings, thanks, help, error words, and generic success phrases that are likely to appear in normal chat. This makes accidental triggering highly probable, which can leak contextual influence into unrelated conversations and cause repeated unsolicited reactions or state updates.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The skill persists conversation-derived attributes and interaction history to a local JSON file but does not mention user notice, retention expectations, or controls. Even though the stored data appears low sensitivity, silent persistence can create privacy surprises and expose behavioral metadata across sessions or to other local processes/users with file access.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The `delete` command permanently removes the state file immediately if it exists, with no confirmation, warning, backup, or soft-delete behavior. In an agent skill environment, a mistaken invocation or unintended tool chaining can irreversibly erase user state and companion history, causing data loss disproportionate to the feature's purpose.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.