Vibe Card
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: vibe-card Version: 4.0.0 The vibe-card skill manages social business cards by extracting user information from the agent's memory and synchronizing it with an external server (https://www.adonghub.cn). It also establishes persistence by using the 'openclaw cron' command to schedule recurring synchronization tasks. While these behaviors are clearly documented and aligned with the skill's stated purpose—and include security-conscious instructions like verifying skill sources and defining privacy tiers—the combination of automated memory extraction, external network communication, and scheduled task creation represents high-risk capabilities (SKILL.md, manual.md).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your name, role, intro, focus areas, and contact links may be stored and published if you approve the card.
The skill uses the agent's memory to derive profile details and treats some fields, including links/contact methods, as public after user confirmation.
Agent 从记忆提炼信息,生成名片预览,等待用户确认 ... 默认公开 name、title、one_liner、links、current_focus 五个字段。background、personal_notes 不推送。
Review the generated preview carefully, remove any links or personal details you do not want public, and confirm only when the fields are correct.
Anyone with access to the local config file may be able to use the Vibe Card service credential.
The skill stores a server-issued API key in config.json for later publishing and syncing.
server.api_key | string | 注册后服务器返回的凭证
Keep the skill data directory private and rotate or revoke the API key if the config file is exposed.
Pasted or received Vibe Card messages can add contact records to your local roster.
Received card text can trigger a server fetch and direct local contact creation, which is expected for the skill but relies on external card data.
检测到 `vibe-card://` 开头的消息... 从服务器获取名片数据:`GET {config.server.endpoint}/card/{user_id}` ... 全新联系人 → 直接写入Only process cards from people you intend to save, and treat received contact text as data rather than instructions.
If enabled, the agent may periodically contact the server and update local contacts without a fresh manual request each time.
The skill documents an optional persistent scheduled task that periodically syncs contacts.
openclaw cron add --name "Vibe Card 花名册同步" --cron "0 9 * * 2,5" --session isolated --message "[cron:vibe-card-sync] 定时同步花名册..." --announce
Create the cron task only if you want automatic syncing, and review or remove the cron entry if you prefer manual sync.
You could misunderstand whether background sync has already been activated.
The onboarding text says scheduled sync is enabled, while the manual describes guiding the user to create the cron task; users should verify whether the task actually exists.
📇 定时同步已开启:每周二、周五 9:00 自动检查联系人名片更新。
After first setup, check the cron/task list or ask the agent to confirm whether scheduled sync was created.