buddy

Buddy 宠物系统 — 孵化、互动、查看你的虚拟宠物伙伴

This skill appears to be a local virtual-pet utility and contains no network calls or hidden endpoints, but it will read ~/.openclaw/identity/device.json (to derive a per-device user id) and create/write ~/.openclaw/extensions/buddy-companion/soul.json and mute.json in your home directory. The code also honors an undocumented BUDDY_USER_ID environment variable. Before installing, consider: 1) Inspect ~/.openclaw/identity/device.json to see whether it contains any sensitive or identifying information you don't want read. 2) If you prefer not to expose your device id, run the skill in a restricted environment or set BUDDY_USER_ID to a non-sensitive value. 3) Confirm you trust the skill source because it will create files under your home directory. 4) If you expect sprite/asset files, note the package does not include sprites.js (it falls back to a simple renderer). If you want higher assurance, request the publisher to declare the exact config paths and env variables in the skill metadata or provide the skill from a verifiable source.

Type: OpenClaw Skill Name: openclaw-claude-buddy Version: 1.0.0 The skill implements a virtual pet system but exhibits risky behaviors in `scripts/hatch.js`, including reading the sensitive `device.json` identity file and using `require()` to dynamically load and execute code from a predictable local path (`~/.openclaw/extensions/buddy-companion/sprites.js`). While these actions are plausibly intended for deterministic pet generation and rendering extensibility, the access to identity metadata and the potential for local code injection via the hardcoded extension path represent significant security vulnerabilities.