ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CodeBuddy Code for OpenClaw

CodeBuddy Code CLI installation, configuration and usage guide. CodeBuddy Code is Tencent's AI-powered CLI programming assistant supporting natural language driven development. - MANDATORY TRIGGERS: CodeBuddy, codebuddy, AI CLI, Tencent AI coding, @tencent-ai/codebuddy-code, terminal AI assistant - Use when: installing CodeBuddy CLI, configuring CodeBuddy, using CodeBuddy commands, troubleshooting CodeBuddy issues

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 3k · 12 current installs · 14 all-time installs
byJiayu@pmwalkercao
duplicate of @pmwalkercao/codebuddy-cli
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md describes installing and using a CodeBuddy CLI and all steps (npm install, CLI commands, config paths) are consistent with that purpose. The triggers and usage contexts align with a CLI assistant.
Instruction Scope
Runtime instructions are limited to installing the npm package, running the CLI, using its flags and commands, and where to place custom command files. There are no instructions to read unrelated system files, exfiltrate data, or access unrelated environment variables. The guide warns about the risky -y flag.
Install Mechanism
The skill is instruction-only and tells users to run npm install -g @tencent-ai/codebuddy-code — this is a normal install flow for a CLI. However, the skill metadata lacks a homepage or source repository, so the authenticity of the npm package cannot be verified from the skill alone; that raises a trust/typosquatting concern when installing a global package.
Credentials
The skill does not request environment variables or credentials. It mentions login methods (Google/GitHub/WeChat) as user-facing auth flows, which is appropriate and expected for a CLI that interacts with remote models.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It only instructs installing a global CLI (which is user-level persistence) and writing config/custom commands to ~/.codebuddy or a project folder — these are standard for a CLI tool.
Assessment
This skill is a coherent install/use guide for a CodeBuddy CLI, but the SKILL.md does not provide a homepage or source repository to verify the npm package. Before running npm install -g @tencent-ai/codebuddy-code: 1) look up the package on the npm registry and confirm the publisher/organization is legitimate (check the maintainer/owner and package versions); 2) find and review the project repo or homepage (if available) to inspect code or at least read README and issues; 3) prefer running via npx or in a container/sandbox first instead of a global install; 4) avoid using the -y/--dangerously-skip-permissions flag in real projects; 5) if you must install globally, inspect package contents or run virus/malware scans and consider limiting network/credential access for the first runs. If you can provide the package/npm link or repository, I can re-evaluate with higher confidence.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk97b5v6ad7qycrjm0vhpj5edfs80gkpf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

CodeBuddy CLI Skill

AI-powered terminal programming assistant from Tencent.

Installation

# Check prerequisites
node -v  # Requires Node.js 18+
npm -v

# Install globally
npm install -g @tencent-ai/codebuddy-code

# Verify
codebuddy --version

Quick Start

  1. Navigate to project directory
  2. Run codebuddy to start interactive session
  3. Choose login method:
    • Google/GitHub: International version (Gemini, GPT models)
    • WeChat (微信): China version (DeepSeek models)

CLI Arguments

ArgumentDescription
codebuddy "<prompt>"Execute single task
-y / --dangerously-skip-permissionsSkip permission confirmations (sandbox only)
-p / --printSingle execution mode (requires -y for file ops)
--permission-mode <mode>acceptEdits, bypassPermissions, default, plan
--versionShow version

Examples

# Interactive mode
codebuddy

# Single task
codebuddy "帮我优化这个函数的性能"
codebuddy "生成这个 API 的单元测试"
codebuddy "检查这次提交的代码质量"

# Skip permissions (sandbox only)
codebuddy -p "Review code quality" -y

Slash Commands

CommandDescription
/helpDisplay available commands
/statusShow account info and current model
/loginSwitch accounts
/logoutSign out
/clearReset conversation history
/exitEnd session
/configOpen configuration
/doctorDiagnose issues
/costToken usage statistics
/initGenerate CODEBUDDY.md project guide
/memoryEdit project memory files

Type ? during session for keyboard shortcuts.

Custom Commands

Create .md files in:

  • Project: .codebuddy/commands/
  • Global: ~/.codebuddy/commands/

Update

npm install -g @tencent-ai/codebuddy-code

Security Notes

--dangerously-skip-permissions risks: file deletion, scope creep, data loss. Never use in production.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…