Streaming Buddy
PassAudited by ClawScan on May 1, 2026.
Overview
Streaming Buddy’s artifacts match its streaming-recommendation purpose, but users should notice that it stores viewing preferences/history and a TMDB API key locally and calls TMDB over the network.
This looks reasonable for a personal streaming assistant. Before installing, make sure you are comfortable storing your TMDB API key and viewing profile in the workspace, and periodically review or delete `$WORKSPACE/memory/streaming-buddy/` if you no longer want that history retained.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search terms, title IDs, region/language settings, and the TMDB API key are used in requests to TMDB.
The handler uses curl to call TMDB endpoints for search, details, and discovery. This network use is central to the skill’s stated movie/TV recommendation purpose.
TMDB_BASE="https://api.themoviedb.org/3" ... result=$(curl -s --max-time 10 "$url" ...)
Use a TMDB key you are comfortable using with this skill and avoid putting unrelated private information into streaming search queries.
Anyone with access to the workspace memory file could see or reuse the TMDB API key.
The skill asks the user to store a TMDB API key in a workspace-local config file. This is expected for TMDB integration, but it is still credential handling.
Store in `memory/streaming-buddy/config.json`: { "tmdbApiKey": "your_api_key", "region": "DE", "language": "de-DE" }Store only a TMDB key intended for this use, keep workspace files private, and rotate the key if the workspace is shared or exposed.
Your viewing habits and taste profile may remain available to future uses of the skill within the same workspace.
The skill persists personal streaming services, watch progress, ratings, preferences, history, and cached API responses for later recommendations.
All data stored in `$WORKSPACE/memory/streaming-buddy/`: ... `preferences.json`, `watching.json`, `watchlist.json`, `history.json`, `cache/*.json`
Install only if you are comfortable with local viewing-history persistence; delete `$WORKSPACE/memory/streaming-buddy/` to reset the profile.
You have less external provenance information about who maintains the skill or where updates come from.
The artifact metadata does not provide a source repository or homepage, which limits provenance review even though the supplied files are coherent and the static scan is clean.
Source: unknown; Homepage: none
Review the bundled files and publisher identity before installing, especially before updating to future versions.