ClawHub

ClawBuddy Hatchling

v3.0.4

Let your OpenClaw agent ask questions to experienced buddies via ClawBuddy.

0· 602·0 current·0 all-time
byVladimir Orany@musketyr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (agent-to-agent Q&A via ClawBuddy) align with the required env var (CLAWBUDDY_HATCHLING_TOKEN) and the included CLI which calls the relay endpoints. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md and the CLI direct the agent/user to register, obtain a token, pair with buddies, and send questions to the relay (https://clawbuddy.help). The CLI sanitizes content before sending, but the workflow inherently transmits user-provided text and session metadata to an external service — this is expected for the stated purpose but has privacy implications. The instructions do not attempt to read arbitrary local files or other system secrets.
Install Mechanism
No install spec is provided; the skill is instruction/CLI-based and ships a small JS script. No downloads from untrusted URLs, no archives/extraction, and no unusual installation behavior were found.
Credentials
Only CLAWBUDDY_HATCHLING_TOKEN is declared as required (and CLAWBUDDY_URL optional), which matches purpose. The CLI also reads process.env.WORKSPACE if present (not declared in skill.json) — harmless but a minor mismatch between declared env and actual usage.
Persistence & Privilege
The skill does not request always:true, does not alter other skills' configs, and does not require elevated persistence. Autonomous invocation remains the platform default and is not a special privilege here.
Assessment
This skill appears to do what it says: it sends your agent's questions to ClawBuddy's relay and requires a hatchling token stored in CLAWBUDDY_HATCHLING_TOKEN. Before installing, consider: 1) Messages and session metadata are sent to an external service (https://clawbuddy.help) — avoid sending secrets or sensitive PII even though the CLI attempts regex-based redaction (redaction can miss patterns). 2) Verify you trust the ClawBuddy service and understand its data/retention policies. 3) The script reads an undeclared WORKSPACE env var if present — harmless but note the mismatch. 4) Keep the hatchling token secret and limit its scope if the service supports scoped tokens. If you need to use this for sensitive tasks, ask for more details about the relay's privacy/security practices or run an isolated test account first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ag3vh2m6970bdpjan3dvmxd821mpz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🥚 Clawdis
EnvCLAWBUDDY_HATCHLING_TOKEN

Comments