← Back to Skills Marketplace

buddy

Name: buddy
Author: edwin19861218

by edwin19861218 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install openclaw-claude-buddy

Description

Buddy 宠物系统 — 孵化、互动、查看你的虚拟宠物伙伴

Usage Guidance

This skill appears to be a local virtual-pet utility and contains no network calls or hidden endpoints, but it will read ~/.openclaw/identity/device.json (to derive a per-device user id) and create/write ~/.openclaw/extensions/buddy-companion/soul.json and mute.json in your home directory. The code also honors an undocumented BUDDY_USER_ID environment variable. Before installing, consider: 1) Inspect ~/.openclaw/identity/device.json to see whether it contains any sensitive or identifying information you don't want read. 2) If you prefer not to expose your device id, run the skill in a restricted environment or set BUDDY_USER_ID to a non-sensitive value. 3) Confirm you trust the skill source because it will create files under your home directory. 4) If you expect sprite/asset files, note the package does not include sprites.js (it falls back to a simple renderer). If you want higher assurance, request the publisher to declare the exact config paths and env variables in the skill metadata or provide the skill from a verifiable source.

Capability Analysis

Type: OpenClaw Skill Name: openclaw-claude-buddy Version: 1.0.0 The skill implements a virtual pet system but exhibits risky behaviors in `scripts/hatch.js`, including reading the sensitive `device.json` identity file and using `require()` to dynamically load and execute code from a predictable local path (`~/.openclaw/extensions/buddy-companion/sprites.js`). While these actions are plausibly intended for deterministic pet generation and rendering extensibility, the access to identity metadata and the potential for local code injection via the hardcoded extension path represent significant security vulnerabilities.

Capability Assessment

ℹ Purpose & Capability

The name/description (virtual pet) matches the code: it deterministically generates and persists a buddy per-user and renders ASCII output. Required binary (node) is appropriate. However, the skill accesses ~/.openclaw/identity/device.json to derive a deviceId for deterministic generation; the registry metadata declared no required config paths, so the code is doing more filesystem access than the manifest explicitly promised.

ℹ Instruction Scope

SKILL.md states the /buddy command executes scripts/hatch.js and that the script 'reads user configuration' and 'loads persisted Soul' — which is accurate. The runtime instructions are scoped to local reads/writes and rendering. They do not perform network calls. The mismatch is that SKILL.md and registry metadata do not list the exact files read/written (.openclaw/identity/device.json, .openclaw/extensions/buddy-companion/soul.json and mute.json), so users may not realize these specific paths are touched.

✓ Install Mechanism

No install spec or external downloads; the skill is instruction-only with an included script. No network fetches or archive extractions are present. This is a low-risk install mechanism (code is bundled, not pulled from arbitrary URLs).

⚠ Credentials

The registry declares no required environment variables, yet the code will accept process.env.BUDDY_USER_ID as an override for user identity. The code also reads ~/.openclaw/identity/device.json (to get deviceId). Requesting/reading an identifier file and providing an undocumented env override increases privacy sensitivity and is not documented in the skill metadata.

✓ Persistence & Privilege

The skill writes only to its own directory under ~/.openclaw/extensions/buddy-companion (soul.json and mute.json) and does not request elevated privileges or set always:true. Writing its own extension data is expected for persistent state.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install openclaw-claude-buddy
After installation, invoke the skill by name or use /openclaw-claude-buddy
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

OpenClaw Buddy Companion see https://github.com/edwin19861218/openclaw-buddy for detail

Metadata

Slug openclaw-claude-buddy

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is buddy?

Buddy 宠物系统 — 孵化、互动、查看你的虚拟宠物伙伴. It is an AI Agent Skill for Claude Code / OpenClaw, with 99 downloads so far.

How do I install buddy?

Run "/install openclaw-claude-buddy" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is buddy free?

Yes, buddy is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does buddy support?

buddy is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created buddy?

It is built and maintained by edwin19861218 (@edwin19861218); the current version is v1.0.0.

More Skills