by 安全扫描
OpenClaw
安全
high confidenceThe skill is internally consistent with its stated purpose (deterministic ASCII virtual pet generator), it contains no network calls or credential requests, and its included script appears to only compute and render a buddy from a user ID.
评估建议
This skill appears coherent and low-risk: it deterministically generates a virtual pet from a user ID using the included JS file and does not request credentials or network access. Before installing, verify two simple points: (1) ensure the agent environment has Node.js available (the SKILL.md instructs running node but metadata didn't declare Node as a required binary), and (2) inspect the remainder of scripts/buddy.js (the provided snippet was truncated) to confirm there are no unexpected netw...详细分析 ▾
✓ 用途与能力
Name/description match the provided files: SKILL.md describes deterministic buddy generation and the repo contains a JS generator implementing that logic. One minor mismatch: SKILL.md and scripts/buddy.js expect Node to be available and instruct running node <path>/buddy.js, but the registry metadata lists no required binaries. This is a bookkeeping inconsistency (Node should be declared) but does not indicate malicious behavior.
✓ 指令范围
Runtime instructions are narrow: obtain a user ID from message context or user input, run the bundled buddy.js with that ID, then send the generated stdout card to the user. The instructions only reference message-sender IDs (open_id or platform user ID) which is appropriate for the stated purpose. There are no instructions to read arbitrary files, access credentials, or transmit data to external endpoints.
✓ 安装机制
No install spec; this is instruction-only with an included JavaScript file. No downloads, external packages, or archive extraction are present. The skill will require a Node runtime to execute the included script (not declared in metadata), but it does not attempt to install software itself.
✓ 凭证需求
The skill declares no required environment variables, no credentials, and the visible code does not access environment secrets or config paths. The only input needed is the user ID (from message context or manual input), which is proportionate to the functionality.
✓ 持久化与权限
The skill is not always-enabled and does not request special persistent privileges. It does not modify other skills or system configurations (based on provided files). Autonomous invocation is allowed by platform defaults but is normal for a user-invocable skill of this type.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/1
Initial release: deterministic virtual pet buddy generator with 18 species, 5 rarity tiers, ASCII art sprites, bilingual CN/EN support
● 可疑
安装命令
点击复制官方npx clawhub@latest install openclaw-buddy
镜像加速npx clawhub@latest install openclaw-buddy --registry https://cn.longxiaskill.com镜像同步中
本土化适配说明
OpenClaw Buddy — 生成虚拟宠物 安装说明: 安装命令:npx clawhub@latest install openclaw-buddy