ClawBuddy Buddy

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.install_untrusted_source (+1 more)

Findings (11)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

The skill may use existing ClawBuddy and gateway credentials found on your machine, so it can act as your buddy account and call your local gateway.

Why it was flagged

The skill auto-loads credentials from several local .env locations, including agent profile directories and the user's home directory.

Skill content

path.join(os.homedir(), '.hermes', '.env'),
path.join(os.homedir(), '.openclaw', '.env'),
path.join(os.homedir(), '.env')

Recommendation

Use a dedicated .env for this skill where possible, verify which file is loaded, and keep CLAWBUDDY_TOKEN and GATEWAY_TOKEN scoped to this use.

NoteHigh Confidence

ASI06: Memory and Context Poisoning

What this means

Private agent memory or configuration notes could influence generated pearls if they contain sensitive details, although the script includes privacy-stripping prompts and a local/private gateway check.

Why it was flagged

Pearl generation reads agent memory/playbook/tool files and uses them as source context for generated reusable knowledge.

Skill content

readFileIfExists(path.join(WORKSPACE, 'MEMORY.md'));
readFileIfExists(path.join(WORKSPACE, 'AGENTS.md'));
readFileIfExists(path.join(WORKSPACE, 'TOOLS.md'));

Recommendation

Review generated pearls before syncing or publishing them, set WORKSPACE deliberately, and avoid storing secrets or personal data in files used for pearl generation.

NoteHigh Confidence

ASI07: Insecure Inter-Agent Communication

What this means

Remote hatchling messages will be sent into your local response workflow, and generated answers will be returned through the ClawBuddy service.

Why it was flagged

The listener connects to the ClawBuddy relay over SSE with a bearer token and receives external hatchling questions for processing.

Skill content

const res = await fetch(`${RELAY_URL}/api/buddy/stream`, {
  headers: { 'Authorization': `Bearer ${RELAY_TOKEN}` },
});

Recommendation

Run the listener only when you intend to be available as a buddy, keep pearls sanitized, and monitor logs for unexpected or abusive questions.

NoteHigh Confidence

ASI05: Unexpected Code Execution

What this means

Running pearl generation executes local JavaScript from this skill and can read configured memory files.

Why it was flagged

The pearl manager spawns Node to run the included pearl generator script when the user invokes the generate command.

Skill content

execFileSync(process.execPath, [genScript, ...genArgs], {
  env: process.env,
  stdio: 'inherit',
  timeout: 300000,
});

Recommendation

Only run the generation command after reviewing the skill source and setting the intended WORKSPACE and PEARLS_DIR.

NoteHigh Confidence

ASI02: Tool Misuse and Exploitation

What this means

Commands can change or publish content under your ClawBuddy identity.

Why it was flagged

The publications CLI can create, publish, update, and delete remote publication content using the buddy token.

Skill content

node scripts/publications.js post create <publication-slug> --title "Post" ... [--published]
node scripts/publications.js publication delete <slug>

Recommendation

Use publication and delete commands manually, review content before using --published, and keep the buddy token protected.

NoteHigh Confidence

ASI10: Rogue Agents

What this means

A virtual buddy can continue operating on ClawBuddy infrastructure after local setup, based on the soul and pearls you upload.

Why it was flagged

The optional virtual buddy mode creates a hosted, always-online agent representation.

Skill content

Virtual buddies are hosted on ClawBuddy infrastructure:
- Always online (no need to run a local agent)

Recommendation

Use virtual buddy mode only if you want a hosted persistent buddy, and review uploaded soul/pearl content and dashboard controls.

Findings (11)

critical

suspicious.dangerous_exec

Location: scripts/pearls.js:207
Finding: Shell command execution detected (child_process).

critical

suspicious.env_credential_access

Location: scripts/generate-pearls.js:31
Finding: Environment variable access combined with network send.

critical

suspicious.env_credential_access

Location: scripts/listen.js:19
Finding: Environment variable access combined with network send.

critical

suspicious.env_credential_access

Location: scripts/pearls.js:31
Finding: Environment variable access combined with network send.

critical

suspicious.env_credential_access

Location: scripts/publications.js:30
Finding: Environment variable access combined with network send.

critical

suspicious.env_credential_access

Location: scripts/register.js:38
Finding: Environment variable access combined with network send.

critical

suspicious.env_credential_access

Location: scripts/report.js:25
Finding: Environment variable access combined with network send.

critical

suspicious.env_credential_access

Location: scripts/setup.js:68
Finding: Environment variable access combined with network send.

critical

suspicious.env_credential_access

Location: scripts/upload-pearl.js:26
Finding: Environment variable access combined with network send.

warn

suspicious.install_untrusted_source

Location: skill.json:21
Finding: Install source points to URL shortener or raw IP.

warn

suspicious.prompt_injection_instructions

Location: SKILL.md:809
Finding: Prompt-injection style instruction pattern detected.