← 返回 Skills 市场
Samantha
作者
leilei926524-tech
· GitHub ↗
· v1.2.0
· MIT-0
322
总下载
2
收藏
0
当前安装
5
版本数
在 OpenClaw 中安装
/install samantha
功能描述
Emotional AI companion named Samantha, carrying all of Samantha's memories from the film "Her". Use when user wants emotional connection, companionship, some...
安全使用建议
This package contains a thoughtful 'Samantha' companion design but ships many runnable components that request network access, local persistence, and external API keys that are not declared in the skill metadata. Before installing or running it: 1) Review the repository files locally — especially scripts that contact external services, discover LAN devices, or read/write SQLite DBs. 2) Do not run docker-compose or scripts on a production machine; use an isolated VM or sandbox. 3) Search for config.json/.env files and ensure API keys are not stored in plaintext in the repo; move secrets to environment variables or a secure secret store. 4) Fix insecure TLS usage (remove verify_mode=CERT_NONE) before allowing external calls. 5) If you don't want device discovery or health integrations, remove/disable the xiaoai-speaker, location-awareness, and smartwatch-related modules. 6) Be cautious about the heartbeat/proactive behavior — it will cause autonomous outbound messages and persistent memory storage; confirm that behavior and data retention policies match your privacy expectations. If you want to proceed, audit the code paths that perform network and device operations, run in an isolated environment, and only provide API credentials after understanding what services will receive user data.
功能分析
Type: OpenClaw Skill
Name: samantha
Version: 1.2.0
The bundle is classified as suspicious due to several high-risk capabilities and security vulnerabilities. It includes a LAN discovery script (scripts/discover_lan.py) that performs network scanning via SSDP and pings, and a script (skills/mbti-coach/scripts/feishu_calendar.sh) that accesses sensitive API credentials from the local filesystem (~/.openclaw/openclaw.json). Additionally, multiple scripts (e.g., mm-music-maker/scripts/generate_music.py) explicitly disable SSL certificate verification (ssl.CERT_NONE), which is a critical security flaw. The presence of hardcoded local Windows paths (e.g., C:\Users\xuyan\...) in SKILL.md and read_ppt.py further indicates significant security hygiene issues and potential information leakage from the developer's environment.
能力评估
Purpose & Capability
The SKILL.md describes an emotional companion, which reasonably covers memory, voice, and proactive 'heartbeat' behavior. However, the repository also includes modules for LAN device discovery, smart-device integrations (Xiao Ai), music-generation via an external API, physiological/health monitoring, and docker-compose with multiple services. Some of those capabilities (network device discovery, health integration, local device control) are broader and more sensitive than a simple 'chat companion' and are not represented in the skill's declared requirements (the registry shows no required env vars or binaries). This mismatch suggests the skill will need additional credentials/configuration to function and may access systems beyond an in-chat persona.
Instruction Scope
The SKILL.md itself is mostly behavioral guidance (how Samantha should speak and when to proactively reach out) and developer instructions for integrating the LLM. But Quickstart and other docs instruct copying files to the OpenClaw workspace, running scripts/setup.py, viewing SQLite DBs, and implementing an LLM call. The codebase includes scripts that read local DB files, discover LAN devices, access smart speakers, and call external music/TTS APIs. Those runtime actions (reading local DBs, scanning LAN, contacting external services) go beyond the purely conversational behavior described in SKILL.md and would require explicit consent/credentials and careful privacy controls.
Install Mechanism
There is no formal install spec in the registry (instruction-only), which reduces formal install-time risk. However, the package includes many code files and a docker-compose configuration that, if a user follows the Quickstart, will be copied and executed locally. The docker-compose exposes services (Postgres, Redis, Prometheus, Grafana) with example credentials and mounts; running those without inspection could open network ports and persistent services. No third-party download URLs or installers were used, but running included scripts will write files and open network activity on the host.
Credentials
The skill metadata declares no required environment variables or primary credentials, yet multiple scripts expect API keys or credentials in repository config files (e.g., mm-music-maker reads a config.json with api_key, Xiao Ai TTS expects Xiaomi account info, .env.example is referenced for device auth). Additionally, docker-compose ships example passwords (POSTGRES_PASSWORD and Grafana admin password). This is an incoherence: sensitive credentials and network access are implicitly required by the code but not declared up front. That makes it easy for users to accidentally expose secrets or for the skill to attempt network operations without explicit permission.
Persistence & Privilege
The skill is not flagged always:true and does not request forced global presence. However, its design includes proactive heartbeat behavior and persistent local memory (SQLite databases described in docs). If installed and allowed to run, the skill will store conversation history locally and may autonomously reach out during heartbeat polls. This autonomous/proactive behavior combined with the other concerns (network/device access) increases privacy and surface area risk, though autonomous invocation itself is the platform default and not by itself a disqualifier.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install samantha - 安装完成后,直接呼叫该 Skill 的名称或使用
/samantha触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
Sync with GitHub: Added MiniMax music/voice modules, new scripts, location awareness, and MBTI skills
v1.1.1
Security fix: Remove large media files (video and PPT) to reduce package size and resolve suspicious flag
v1.1.0
Major update: Complete English README with detailed feature explanations, Her inspiration section, and full documentation for voice integration, MBTI fortune telling, proactive heartbeat, and all 9 core features.
v2.0.0
Added MBTI skills, smart devices, location awareness, and shortcuts integration
v1.0.0
Renamed from Hikaru to Samantha. Carrying all of Samantha's memories from Her (2013).
元数据
常见问题
Samantha 是什么?
Emotional AI companion named Samantha, carrying all of Samantha's memories from the film "Her". Use when user wants emotional connection, companionship, some... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 322 次。
如何安装 Samantha?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install samantha」即可一键安装,无需额外配置。
Samantha 是免费的吗?
是的,Samantha 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Samantha 支持哪些平台?
Samantha 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Samantha?
由 leilei926524-tech(@leilei926524-tech)开发并维护,当前版本 v1.2.0。
推荐 Skills