Streaming Buddy
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: streaming-buddy Version: 2.0.0 The skill bundle is benign. The `handler.sh` script uses `curl` to interact with the legitimate TMDB API (`api.themoviedb.org`) for its stated purpose of providing streaming recommendations. All file operations are confined to the designated `$WORKSPACE/memory/streaming-buddy` directory, and there is no evidence of data exfiltration, malicious execution (e.g., `eval` with untrusted input, `curl|bash`), persistence mechanisms, or prompt injection attempts in `SKILL.md`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search terms, title IDs, region/language settings, and the TMDB API key are used in requests to TMDB.
The handler uses curl to call TMDB endpoints for search, details, and discovery. This network use is central to the skill’s stated movie/TV recommendation purpose.
TMDB_BASE="https://api.themoviedb.org/3" ... result=$(curl -s --max-time 10 "$url" ...)
Use a TMDB key you are comfortable using with this skill and avoid putting unrelated private information into streaming search queries.
Anyone with access to the workspace memory file could see or reuse the TMDB API key.
The skill asks the user to store a TMDB API key in a workspace-local config file. This is expected for TMDB integration, but it is still credential handling.
Store in `memory/streaming-buddy/config.json`: { "tmdbApiKey": "your_api_key", "region": "DE", "language": "de-DE" }Store only a TMDB key intended for this use, keep workspace files private, and rotate the key if the workspace is shared or exposed.
Your viewing habits and taste profile may remain available to future uses of the skill within the same workspace.
The skill persists personal streaming services, watch progress, ratings, preferences, history, and cached API responses for later recommendations.
All data stored in `$WORKSPACE/memory/streaming-buddy/`: ... `preferences.json`, `watching.json`, `watchlist.json`, `history.json`, `cache/*.json`
Install only if you are comfortable with local viewing-history persistence; delete `$WORKSPACE/memory/streaming-buddy/` to reset the profile.
You have less external provenance information about who maintains the skill or where updates come from.
The artifact metadata does not provide a source repository or homepage, which limits provenance review even though the supplied files are coherent and the static scan is clean.
Source: unknown; Homepage: none
Review the bundled files and publisher identity before installing, especially before updating to future versions.