Kindroid Interact
v1.0.0Interact with Kindroid companions via their official API. Send messages, handle chat breaks, and manage multi-bot conversations.
⭐ 1· 1.7k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the behavior (CLI + Node wrapper calling api.kindroid.ai). Required binaries (curl, jq) are reasonable for the shell CLI. However, package.json and SKILL.md make references that don't line up with the repo layout (package.json points to scripts/kindroid.sh and lib/kindroid.js, but the repo contains kindroid.sh and kindroid.js in the top level). There's also no install spec that would place a 'kindroid' executable on PATH.
Instruction Scope
SKILL.md contains several features and file references that the code does not implement: examples mention 'kindroid webhook add', a '~/.config/kindroid/config.json' for rate-limit settings, and 'clawhub update' — but neither the shell script nor the JS wrapper implement webhook management or read a config.json. The documentation also assumes a 'kindroid' command will exist, but no install/install script is provided. The skill does require creating a local credentials file (~/.config/kindroid/credentials.json) which the code reads; that behavior is coherent, but documentation over-promises other features.
Install Mechanism
There is no install spec (instruction-only + shipped files). That's low-risk in terms of automatic code execution on install, but it means the user must manually place scripts/binaries. The package.json scripts reference paths that don't exist in the archive, which suggests packaging/packaging-path errors and may cause confusion if someone attempts to run npm scripts.
Credentials
The skill does not request environment variables or unrelated credentials. It reads the user's HOME to find ~/.config/kindroid/credentials.json (expected), and both shell and JS code validate an api_key beginning with 'kn_'. No unrelated secrets or system-wide credentials are requested.
Persistence & Privilege
The skill is not forced always-on and does not request elevated platform privileges. It stores a small timestamp file at /tmp/kindroid_last_call for rate-limiting (normal but note /tmp is shared). It does write/read the user's credentials file under ~/.config/kindroid as documented; that is expected for this functionality.
What to consider before installing
This skill appears to do what it says (a CLI + Node wrapper that calls api.kindroid.ai and reads a local credentials file). However, the package contains several inconsistencies: package.json paths (scripts/kindroid.sh, lib/kindroid.js) don't match the shipped filenames (kindroid.sh, kindroid.js), and SKILL.md advertises webhook commands and a config.json that the code doesn't implement. Before installing or running: 1) inspect the provided files yourself (you already have them) and confirm the CLI you intend to run is the included kindroid.sh / kindroid.js; 2) if you plan to use the 'kindroid' command, ensure you place the script somewhere on PATH or update package.json/scripts to point to the correct file; 3) create the credentials file at ~/.config/kindroid/credentials.json and keep permissions at 600 (the code expects this and your API key is sensitive); 4) be aware the tool communicates with api.kindroid.ai over HTTPS — if you do not trust that endpoint or the author, do not store your key here. If the publisher can provide a corrected package (consistent paths, implemented webhook/config features, and an install spec), the assessment would move toward benign; as-is the mismatches make the package suspicious rather than clearly safe.Like a lobster shell, security has layers — review code before you run it.
latestvk9756rr7r6vrdp0eadp32knk7180c264
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🤖 Clawdis
Binscurl, jq