Kindroid Interact
ReviewAudited by ClawScan on May 1, 2026.
Overview
This appears to be a transparent Kindroid API client, but it needs a Kindroid API key and can change companion conversations.
Install only if you are comfortable giving the skill a Kindroid API key and allowing your agent to send messages or perform chat breaks. Keep the credentials file locked down, review important actions before execution, and verify the package paths if you use the included scripts.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill gives the agent practical ability to act through the configured Kindroid API key.
The skill reads a local Kindroid API key from a persistent config file to authenticate API calls. This is expected for the integration, but it grants Kindroid account access and is under-declared in the registry metadata.
const configPath = path.join(process.env.HOME, '.config', 'kindroid', 'credentials.json'); ... this.apiKey = config.api_key;
Use a revocable Kindroid API key, keep the credentials file permission-restricted, and remove or rotate the key if you stop using the skill.
The agent can send content to a companion or start a chat break; unusual message text may also cause request errors in the shell helper.
The Bash helper sends user- or agent-supplied text to the Kindroid API and builds the JSON payload by interpolation. This is purpose-aligned, but quote-heavy or untrusted text could malformed the request, and send/chat-break operations change conversation state.
api_call "send-message" "{\"ai_id\": \"$AI_ID\", \"message\": \"$message\"}" "$timeout"Confirm important send or chat-break actions, avoid relaying secrets unintentionally, and prefer a JSON-safe wrapper for complex or untrusted message text.
Some command wiring may fail or require manual adjustment if the installed layout matches the supplied manifest.
The package metadata references lib/kindroid.js and scripts/kindroid.sh, while the supplied manifest contains kindroid.js and kindroid.sh at the root. This looks like a packaging consistency issue rather than hidden code.
"main": "lib/kindroid.js", ... "send": "scripts/kindroid.sh send"
Verify the installed file paths before relying on the package scripts, and avoid running any missing replacement files unless you review them first.