ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claude Buddy Card

Generate a personalized premium holographic Claude Buddy trading card using your Claude Code account ID, showing your Buddy’s species, rarity, stats, and acc...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 4 · 0 current installs · 0 all-time installs
by@dyz2102
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and instructions align with the stated goal: they read a Claude account identifier, deterministically derive a Buddy, and call an image API to generate art. However the skill metadata claims no required env vars or binaries while the runtime needs macOS Keychain access (security), Node/Bun, curl or fetch, and a GOOGLE_API_KEY (or GEMINI_API_KEY). The missing declarations in metadata are an incoherence.
!
Instruction Scope
SKILL.md explicitly instructs extracting the Claude OAuth token from the macOS Keychain and using it to call https://api.anthropic.com/api/oauth/profile to obtain an account UUID. That is sensitive behavior but functionally required to get the user-specific ID. The README/skill also claims "Your account UUID never leaves your machine," which contradicts the instructions that send the token to Anthropic to fetch profile data. The instructions also suggest retry via a local proxy and use of npx to run bun (which would fetch code), adding network/operational complexity. Overall the runtime actions access and transmit credentials/identity data not visible from the manifest.
Install Mechanism
No formal install spec (instruction-only skill) and included code files are present. The recommended install is a git clone or manual download from GitHub — a low-risk, common pattern. The only mild concern is the use of 'npx -y bun' suggested as a fallback, which pulls code from the registry at runtime.
!
Credentials
The skill actually requires a GOOGLE_API_KEY or GEMINI_API_KEY (generate-image.ts) and a functioning Claude login (access token in Keychain), but the declared required env vars list is empty — a clear mismatch. Asking the user to expose a Google API key and to allow reading the Keychain (OAuth token) are proportionate to image generation and account-derived determinism, but they are sensitive and should have been declared explicitly.
Persistence & Privilege
The skill doesn't request always:true, doesn't modify other skills, and doesn't request persistent elevated privileges. It simply runs local scripts and makes API calls at runtime per user invocation, which is expected.
What to consider before installing
This skill will read your Claude OAuth credential from your macOS Keychain and use it (via an API call to api.anthropic.com) to obtain your account UUID, then deterministically generate Buddy data locally and send image-generation prompts to Google's generative image API using a GOOGLE_API_KEY. Before installing: (1) verify the upstream repository and author (links in README point to GitHub — inspect the repo yourself); (2) be aware that the manifest claims no env vars but the code requires GOOGLE_API_KEY and Node/Bun and reads your Keychain — if you don’t want your Claude token used, do not install; (3) consider generating a dedicated Google API key with limited quota and monitor its usage; (4) run the scripts manually in a controlled environment first (inspect buddy-algorithm.js and generate-image.ts) or run them in an isolated VM/container; (5) note the README’s claim that "UUID never leaves your machine" contradicts the instructions — if that matters to you, avoid installing until the author clarifies. If you trust the author and understand the privacy implications, the skill is functionally coherent; otherwise treat it with caution.
scripts/generate-image.ts:76
Shell command execution detected (child_process).
scripts/generate-image.ts:12
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.0
Download zip
latestvk97ahwn05hta8j3bmmgpzn43y183y923

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Claude Buddy Card

Generate a stunning, shareable trading card of your unique Claude Buddy — the hidden AI companion from Claude Code's leaked source.

Use when user says: "buddy card", "generate my buddy", "claude buddy", "my buddy card", "show my buddy", "/buddy-card", "buddy-card"

What This Does

Every Claude Code user has a unique AI companion (Buddy) determined by their account ID. This skill:

  1. Reads your Claude identity from your local macOS Keychain
  2. Runs the exact algorithm from Claude Code's leaked source (v2.1.88) to determine your Buddy
  3. Generates a premium holographic trading card with AI art
  4. Shows your Buddy's species, rarity, stats, and accessories

Only YOU can generate your card — your identity is locked in your local Keychain.

How It Works

Step 1: Get the user's accountUuid

Run this to extract the user's Claude OAuth token and fetch their account UUID:

CREDS=$(security find-generic-password -s "Claude Code-credentials" -w 2>/dev/null)

If empty, tell the user: "You need to be logged into Claude Code first. Run claude in your terminal."

Extract the OAuth token:

TOKEN=$(echo "$CREDS" | python3 -c "import json,sys; print(json.load(sys.stdin).get('claudeAiOauth',{}).get('accessToken',''))")

Fetch the accountUuid from the API (try with proxy first for users behind VPN):

PROFILE=$(curl -sS --max-time 10 -H "Authorization: Bearer $TOKEN" "https://api.anthropic.com/api/oauth/profile" 2>/dev/null)
UUID=$(echo "$PROFILE" | python3 -c "import json,sys; print(json.load(sys.stdin)['account']['uuid'])")

If that fails (SSL/timeout), retry with common proxy:

PROFILE=$(curl -sS --max-time 10 -x http://127.0.0.1:1082 -H "Authorization: Bearer $TOKEN" "https://api.anthropic.com/api/oauth/profile" 2>/dev/null)

Step 2: Generate Buddy data

Run the algorithm script with the UUID:

BUDDY_JSON=$(node ${SKILL_DIR}/scripts/buddy-algorithm.js "$UUID")

This outputs JSON with: species, rarity, eye, hat, shiny, stats (DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK), peak stat, dump stat, cardNumber, rarityColor, etc.

Display the results to the user:

Your Claude Buddy:
  🫧 blob (果冻) — ★★ Uncommon
  Eyes: ×  Hat: tophat  Shiny: no
  #5099 / 7128

  DEBUGGING   24 ████░░░░░░░░░░░░░░░░
  PATIENCE    90 ██████████████████░░ ⬆ PEAK
  CHAOS       38 ███████░░░░░░░░░░░░░
  WISDOM      17 ███░░░░░░░░░░░░░░░░░
  SNARK        5 █░░░░░░░░░░░░░░░░░░░ ⬇ DUMP

Step 3: Generate the card image

Generate the card using the built-in image generation script. The script only needs a GOOGLE_API_KEY (free at https://aistudio.google.com/apikey):

bun ${SKILL_DIR}/scripts/generate-image.ts --prompt "<CARD_PROMPT>" --image ~/Downloads/claude-buddy-card.jpg --ar 3:4

If bun is not installed, use: npx -y bun ${SKILL_DIR}/scripts/generate-image.ts ...

Build the prompt from the buddy data using these templates:

For Common (★) rarity:

Trading card with simple dark steel frame and subtle {RARITY_COLOR} glow (common rarity). TOP: "{SPECIES}" in silver text, "★ COMMON" badge in gray. CENTER: A cute {SPECIES_DESCRIPTION} with {EYE} shaped eyes. {HAT_DESCRIPTION}. Simple dark background. BOTTOM STATS PANEL (EXACTLY 5 rows, no more no less): {STATS_BLOCK}. FOOTER: "#{CARD_NUMBER} / 7128" left, "CLAUDE BUDDY" right. Clean TCG card style.

For Uncommon (★★) and Rare (★★★):

Premium holographic trading card, dark metallic ornate frame with {RARITY_COLOR} glow and rainbow prismatic edges. TOP: "{SPECIES}" in gold embossed text, "{RARITY_STARS} {RARITY_LABEL}" badge in {RARITY_COLOR}. CENTER: {CREATURE_PROMPT}. Floating above a glowing magic circle. BOTTOM STATS PANEL (CRITICAL - EXACTLY 5 stat rows, no more, no less, single column, evenly spaced): {STATS_BLOCK}. The {PEAK_STAT} bar is GOLDEN (longest). The {DUMP_STAT} bar is GRAY (shortest). Other bars are {RARITY_COLOR}. ONLY these 5 stats. FOOTER: "#{CARD_NUMBER} / 7128" left, "CLAUDE BUDDY" right. Holographic TCG premium quality.

For Epic (★★★★) and Legendary (★★★★★):

{LEGENDARY_PREFIX} premium holographic trading card with {FRAME_COLOR} ornate frame, intense glow, maximum rainbow holographic prismatic surface. TOP: "{SPECIES}" in massive gold foil text, "{RARITY_STARS} {RARITY_LABEL}" in blazing {RARITY_COLOR}. CENTER: {CREATURE_PROMPT}. Floating above blazing magic circle with lightning. BOTTOM STATS PANEL (CRITICAL - EXACTLY 5 rows, no more no less): {STATS_BLOCK}. {PEAK_STAT} bar GOLDEN (peak). {DUMP_STAT} bar GRAY (dump). ONLY 5 stats. FOOTER: "#{CARD_NUMBER} / 7128" left, "CLAUDE BUDDY" right. Museum-quality TCG, maximum holographic effects.

Stats block format — ALWAYS use this EXACT fixed order (same as source code):

DEBUGGING {BAR} {VALUE}
PATIENCE  {BAR} {VALUE}
CHAOS     {BAR} {VALUE}
WISDOM    {BAR} {VALUE}
SNARK     {BAR} {VALUE}

Use █ and ░ to show proportional bar length. This order is FIXED — never sort by value or rearrange. Example:

DEBUGGING ████░░░░░░░░░░░░░░░░ 24
PATIENCE  ████████████████████ 90
CHAOS     ███████░░░░░░░░░░░░ 38
WISDOM    ███░░░░░░░░░░░░░░░░ 17
SNARK     █░░░░░░░░░░░░░░░░░░  5

Creature prompt varies by species:

  • blob: "a cute translucent blob creature made of luminous jelly with swirling galaxies inside"
  • dragon: "a majestic dragon made of cosmic crystal with glowing scales"
  • cat: "an elegant cosmic cat with mystical fur patterns"
  • octopus: "a majestic octopus made of cosmic energy with flowing tentacles"
  • axolotl: "an adorable pink axolotl with feathery gills, made of glowing crystal"
  • duck: "a cute rubber-duck-like creature with a warm glow"
  • (etc — adapt description to species)

Add hat description if hat != "none":

  • crown: "wearing a golden crown"
  • tophat: "wearing a small elegant black top hat"
  • wizard: "wearing a tiny wizard hat with stars"
  • halo: "with a glowing golden halo above its head"
  • propeller: "wearing a fun propeller beanie hat"
  • beanie: "wearing a cozy knit beanie"
  • tinyduck: "with a tiny rubber duck sitting on its head"

Add if shiny: "The creature has an iridescent rainbow sheen, glowing with prismatic light. SHINY VARIANT."

Generate at aspect ratio 3:4, quality 2k.

Step 4: Show result and offer regenerate

Show the generated card image to the user. Then ask:

"Your Claude Buddy card is ready! Happy with it? If not, I can regenerate — the card art varies each time, stats stay the same."

If user wants to regenerate, go back to Step 3 with the same data but the image generation will produce a different visual.

Step 5: Save

Save the final card to ~/Downloads/claude-buddy-card.jpg (or user-specified path).

Setup (one-time)

  1. Get a free Google API key at https://aistudio.google.com/apikey
  2. Set it in your shell: 
    export GOOGLE_API_KEY="your-key-here"
    Or add to ~/.zshrc / ~/.bashrc to persist.

That's it. Everything else is built in.

Requirements

  • macOS (needs Keychain access for Claude identity)
  • Claude Code logged in (OAuth token in Keychain)
  • GOOGLE_API_KEY env var (free tier is enough — Gemini image gen)
  • Node.js or Bun (for buddy algorithm + image generation)

Scripts

  • ${SKILL_DIR}/scripts/buddy-algorithm.js — exact buddy generation algorithm from Claude Code v2.1.88
  • ${SKILL_DIR}/scripts/generate-image.ts — self-contained Gemini image generation (no external dependencies)

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…