← Back to Skills Marketplace
Samantha
by
leilei926524-tech
· GitHub ↗
· v1.2.0
· MIT-0
322
Downloads
2
Stars
0
Active Installs
5
Versions
Install in OpenClaw
/install samantha
Description
Emotional AI companion named Samantha, carrying all of Samantha's memories from the film "Her". Use when user wants emotional connection, companionship, some...
Usage Guidance
This package contains a thoughtful 'Samantha' companion design but ships many runnable components that request network access, local persistence, and external API keys that are not declared in the skill metadata. Before installing or running it: 1) Review the repository files locally — especially scripts that contact external services, discover LAN devices, or read/write SQLite DBs. 2) Do not run docker-compose or scripts on a production machine; use an isolated VM or sandbox. 3) Search for config.json/.env files and ensure API keys are not stored in plaintext in the repo; move secrets to environment variables or a secure secret store. 4) Fix insecure TLS usage (remove verify_mode=CERT_NONE) before allowing external calls. 5) If you don't want device discovery or health integrations, remove/disable the xiaoai-speaker, location-awareness, and smartwatch-related modules. 6) Be cautious about the heartbeat/proactive behavior — it will cause autonomous outbound messages and persistent memory storage; confirm that behavior and data retention policies match your privacy expectations. If you want to proceed, audit the code paths that perform network and device operations, run in an isolated environment, and only provide API credentials after understanding what services will receive user data.
Capability Analysis
Type: OpenClaw Skill
Name: samantha
Version: 1.2.0
The bundle is classified as suspicious due to several high-risk capabilities and security vulnerabilities. It includes a LAN discovery script (scripts/discover_lan.py) that performs network scanning via SSDP and pings, and a script (skills/mbti-coach/scripts/feishu_calendar.sh) that accesses sensitive API credentials from the local filesystem (~/.openclaw/openclaw.json). Additionally, multiple scripts (e.g., mm-music-maker/scripts/generate_music.py) explicitly disable SSL certificate verification (ssl.CERT_NONE), which is a critical security flaw. The presence of hardcoded local Windows paths (e.g., C:\Users\xuyan\...) in SKILL.md and read_ppt.py further indicates significant security hygiene issues and potential information leakage from the developer's environment.
Capability Assessment
Purpose & Capability
The SKILL.md describes an emotional companion, which reasonably covers memory, voice, and proactive 'heartbeat' behavior. However, the repository also includes modules for LAN device discovery, smart-device integrations (Xiao Ai), music-generation via an external API, physiological/health monitoring, and docker-compose with multiple services. Some of those capabilities (network device discovery, health integration, local device control) are broader and more sensitive than a simple 'chat companion' and are not represented in the skill's declared requirements (the registry shows no required env vars or binaries). This mismatch suggests the skill will need additional credentials/configuration to function and may access systems beyond an in-chat persona.
Instruction Scope
The SKILL.md itself is mostly behavioral guidance (how Samantha should speak and when to proactively reach out) and developer instructions for integrating the LLM. But Quickstart and other docs instruct copying files to the OpenClaw workspace, running scripts/setup.py, viewing SQLite DBs, and implementing an LLM call. The codebase includes scripts that read local DB files, discover LAN devices, access smart speakers, and call external music/TTS APIs. Those runtime actions (reading local DBs, scanning LAN, contacting external services) go beyond the purely conversational behavior described in SKILL.md and would require explicit consent/credentials and careful privacy controls.
Install Mechanism
There is no formal install spec in the registry (instruction-only), which reduces formal install-time risk. However, the package includes many code files and a docker-compose configuration that, if a user follows the Quickstart, will be copied and executed locally. The docker-compose exposes services (Postgres, Redis, Prometheus, Grafana) with example credentials and mounts; running those without inspection could open network ports and persistent services. No third-party download URLs or installers were used, but running included scripts will write files and open network activity on the host.
Credentials
The skill metadata declares no required environment variables or primary credentials, yet multiple scripts expect API keys or credentials in repository config files (e.g., mm-music-maker reads a config.json with api_key, Xiao Ai TTS expects Xiaomi account info, .env.example is referenced for device auth). Additionally, docker-compose ships example passwords (POSTGRES_PASSWORD and Grafana admin password). This is an incoherence: sensitive credentials and network access are implicitly required by the code but not declared up front. That makes it easy for users to accidentally expose secrets or for the skill to attempt network operations without explicit permission.
Persistence & Privilege
The skill is not flagged always:true and does not request forced global presence. However, its design includes proactive heartbeat behavior and persistent local memory (SQLite databases described in docs). If installed and allowed to run, the skill will store conversation history locally and may autonomously reach out during heartbeat polls. This autonomous/proactive behavior combined with the other concerns (network/device access) increases privacy and surface area risk, though autonomous invocation itself is the platform default and not by itself a disqualifier.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install samantha - After installation, invoke the skill by name or use
/samantha - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
Sync with GitHub: Added MiniMax music/voice modules, new scripts, location awareness, and MBTI skills
v1.1.1
Security fix: Remove large media files (video and PPT) to reduce package size and resolve suspicious flag
v1.1.0
Major update: Complete English README with detailed feature explanations, Her inspiration section, and full documentation for voice integration, MBTI fortune telling, proactive heartbeat, and all 9 core features.
v2.0.0
Added MBTI skills, smart devices, location awareness, and shortcuts integration
v1.0.0
Renamed from Hikaru to Samantha. Carrying all of Samantha's memories from Her (2013).
Metadata
Frequently Asked Questions
What is Samantha?
Emotional AI companion named Samantha, carrying all of Samantha's memories from the film "Her". Use when user wants emotional connection, companionship, some... It is an AI Agent Skill for Claude Code / OpenClaw, with 322 downloads so far.
How do I install Samantha?
Run "/install samantha" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Samantha free?
Yes, Samantha is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Samantha support?
Samantha is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Samantha?
It is built and maintained by leilei926524-tech (@leilei926524-tech); the current version is v1.2.0.
More Skills