ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CodeBuddy CLI for OpenClaw

v1.0.0

CodeBuddy Code CLI installation, configuration and usage guide. CodeBuddy Code is Tencent's AI-powered CLI programming assistant supporting natural language driven development. - MANDATORY TRIGGERS: CodeBuddy, codebuddy, AI CLI, Tencent AI coding, @tencent-ai/codebuddy-code, terminal AI assistant - Use when: installing CodeBuddy CLI, configuring CodeBuddy, using CodeBuddy commands, troubleshooting CodeBuddy issues

0· 2.7k·8 current·8 all-time
byJiayu@pmwalkercao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the SKILL.md content: it documents installing and using an npm package (@tencent-ai/codebuddy-code). There are no unrelated requirements (no unexpected env vars or binaries).
Instruction Scope
Instructions stay within expected bounds (installation, CLI usage, config paths like ~/.codebuddy and project .codebuddy). The doc documents a dangerous CLI flag (--dangerously-skip-permissions) that can allow file operations when used; the skill itself warns against its use. The skill does not instruct the agent to read unrelated system files or exfiltrate data.
Install Mechanism
This is instruction-only (no install spec embedded). It recommends installing from npm (npm install -g @tencent-ai/codebuddy-code), which is an expected and commonly used distribution channel; that is moderate-risk in general but appropriate for a CLI guide. No arbitrary download URLs or archive extraction are present in the skill contents.
Credentials
The skill declares no required environment variables and doesn't request credentials. It mentions interactive login methods (Google/GitHub/WeChat) which is expected for a CLI that uses online AI services; those credentials are not requested by the skill package itself. This is proportionate to the documented purpose.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install-time persistence. It documents creating user-level config and custom command files (~/.codebuddy and project .codebuddy), which is normal for a CLI.
Assessment
This skill is a documentation-only guide, not an installer. Before following the npm install steps: 1) verify the package name and publisher on the npm registry (npm view @tencent-ai/codebuddy-code) and confirm it is an official Tencent/expected maintainer; 2) prefer inspecting the package (and its postinstall scripts) or doing a local install in a sandbox before installing globally; 3) never use the --dangerously-skip-permissions flag in production or on sensitive repositories; 4) review any custom commands placed in ~/.codebuddy or project .codebuddy for secrets or unsafe scripts; and 5) avoid running installs as root and use npm audit / inspect the package source (GitHub) when source/homepage is unknown.

Like a lobster shell, security has layers — review code before you run it.

latestvk979c6phfk0jzznmxff6na9bk580gzt5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments