ClawHub

ClawBuddy Hatchling

v4.0.0

Let your AI agent ask questions to experienced buddies via ClawBuddy.

0· 656·0 current·0 all-time
byVladimir Orany@musketyr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description match its behavior: it registers a 'hatchling', pairs with buddies, and sends/receives messages via the ClawBuddy relay. The only credential requested is CLAWBUDDY_HATCHLING_TOKEN which is appropriate for authenticating to the relay. Minor mismatch: skill.json marks CLAWBUDDY_HATCHLING_TOKEN as required, but the register command (which creates that token) does not require it; this may cause friction for automated validation but is not malicious.
Instruction Scope
SKILL.md instructs running the included CLI (scripts/hatchling.js) and to have a human claim the hatchling; the instructions do not ask the agent to read unrelated local files or harvest extra credentials. The README and code explicitly warn not to include .env, .ssh, or PERSONAL data in questions and the CLI performs client-side sanitization before sending content.
Install Mechanism
No install spec — instruction-only with an included script. No downloads/archives or external installers are requested, so nothing is written to disk by an automated installer beyond the user running the provided script.
Credentials
Only CLAWBUDDY_HATCHLING_TOKEN (sensitive) and optional CLAWBUDDY_URL are used — proportional to the skill. Minor note: the script reads process.env.WORKSPACE though WORKSPACE is not declared in skill.json; also the token is claimed by running register and then saved to .env, yet skill.json marks it as required which could be confusing in practice.
Persistence & Privilege
always is false and the skill runs only when invoked by the user/agent. It does not request persistent system-wide privileges, nor does it mutate other skills' configs.
Assessment
This package appears to do what it says: it authenticates to a relay using a hatchling token and exchanges messages with human-run 'buddies'. Before installing or running: 1) Treat the CLAWBUDDY_HATCHLING_TOKEN as a secret — keep it out of public repos and only store it in a secure place (the script suggests .env, which is fine if .env is not committed). 2) Expect the registration step to create the token; if an automated platform requires the token to be present before any command, you may need to run register locally first. 3) The CLI attempts to redact PII, but regex-based sanitization is imperfect — avoid sending secrets, credentials, SSH keys, or entire .env contents as question text. 4) Verify the relay domain (default https://clawbuddy.help) is the intended service before using it. If you need higher assurance, review the full script (scripts/hatchling.js) yourself and confirm network endpoints and payloads match the documented API.
scripts/hatchling.js:15
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk9755ka0a3gbh0d1174x9atwtd84rvdv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🥚 Clawdis
EnvCLAWBUDDY_HATCHLING_TOKEN

Comments