Buddy Skill Creator Security Report — Trusted | ClawSafe

5 /100

Buddy Skill Creator

Distill your ideal buddy into an AI Skill. Import chat history, photos, social media posts, or just describe your dream buddy — generate Vibe Memory + Persona with continuous evolution.

A legitimate persona-extraction skill that parses local chat/media files and sends user data to a declared external AI API for analysis. No malicious behavior detected.

Skill NameBuddy Skill Creator

Duration44.1s

Enginepi

✓

Safe to install

No action required. The skill's behavior aligns with its documentation. Users should be aware that their chat data and media are sent to api.evolink.ai for AI processing when the optional EVOLINK_API_KEY is configured.

Findings 1 items

Severity	Finding	Location
Low	Unpinned dependency version Supply Chain requirements.txt specifies Pillow>=9.0.0 without an upper version limit. While no malicious behavior is present, version upper bounds are a security best practice. `Pillow>=9.0.0` → Pin to a known-safe range: Pillow>=9.0.0,<10.3.0	`requirements.txt:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Write/Edit tools used to write buddy skill files to ./buddies/{slug}/ — declared…
Filesystem	`READ`	`READ`	✓ Aligned	Read tool used to read user-uploaded files (photos, PDFs, text) — declared in SK…
Shell	`WRITE`	`WRITE`	✓ Aligned	Bash tool used to run python3 scripts for parsing — declared in SKILL.md and imp…
Network	`READ`	`READ`	✓ Aligned	curl POST to api.evolink.ai for AI analysis — declared in SKILL.md and _meta.jso…
Environment	`READ`	`NONE`	✓ Aligned	SKILL.md references $EVOLINK_API_KEY and $EVOLINK_MODEL env vars but does not re…
Skill Invoke	`READ`	`READ`	✓ Aligned	Skill invokes EvoLink API and generates new SKILL.md files for buddy personas — …
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser access found
Database	`NONE`	`NONE`	—	No direct database access; wechat_parser.py supports PyWxDump SQLite parsing but…

16 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README.de.md:5

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/Powered%20by-EvoLink-blue

README.de.md:6

🔗

Medium External URL 外部 URL

https://evolink.ai?utm_source=github&utm_medium=skill&utm_campaign=buddy

README.de.md:6

🔗

Medium External URL 外部 URL

https://evolink.ai/signup?utm_source=github&utm_medium=skill&utm_campaign=buddy

README.de.md:23

🔗

Medium External URL 外部 URL

https://clawhub.ai/evolinkai/buddy-skill-creator

README.de.md:50

🔗

Medium External URL 外部 URL

https://docs.evolink.ai/en/api-manual/language-series/claude/claude-messages-api?utm_source=github&utm_medium=skill&utm_...

README.de.md:51

🔗

Medium External URL 外部 URL

https://discord.com/invite/5mGHfA24kn

README.de.md:52

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/Python-3.9%2B-blue.svg

README.md:8

🔗

Medium External URL 外部 URL

https://python.org

README.md:8

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/Claude%20Code-Skill-blueviolet

README.md:9

🔗

Medium External URL 外部 URL

https://claude.ai/code

README.md:9

🔗

Medium External URL 外部 URL

https://docs.evolink.ai/en/api-manual/language-series/claude/claude-messages-api?utm_source=clawhub&utm_medium=skill&utm...

SKILL.md:20

🔗

Medium External URL 外部 URL

https://evolink.ai/signup

SKILL.md:71

🔗

Medium External URL 外部 URL

https://api.evolink.ai/v1/messages

SKILL.md:98

🔗

Medium External URL 外部 URL

https://docs.evolink.ai/en/api-manual/language-series/claude/claude-messages-api

docs/PRD.md:8

📧

Info Email 邮箱地址

[email protected]

README.md:246

File Tree

26 files · 92.2 KB · 2676 lines

Markdown 18f · 1835L Python 6f · 823L JSON 1f · 17L Text 1f · 1L

├─ ▾ 📁 docs

│ └─ 📝 PRD.md Markdown 134L · 4.8 KB

├─ ▾ 📁 prompts

│ ├─ 📝 correction_handler.md Markdown 57L · 1.7 KB

│ ├─ 📝 intake.md Markdown 111L · 3.1 KB

│ ├─ 📝 merger.md Markdown 45L · 1.4 KB

│ ├─ 📝 persona_analyzer.md Markdown 87L · 4.7 KB

│ ├─ 📝 persona_builder.md Markdown 132L · 3.8 KB

│ ├─ 📝 vibe_analyzer.md Markdown 90L · 2.8 KB

│ └─ 📝 vibe_builder.md Markdown 120L · 2.2 KB

├─ ▾ 📁 tools

│ ├─ 🐍 photo_analyzer.py Python 129L · 4.1 KB

│ ├─ 🐍 qq_parser.py Python 107L · 3.5 KB

│ ├─ 🐍 skill_writer.py Python 170L · 5.2 KB

│ ├─ 🐍 social_parser.py Python 83L · 2.8 KB

│ ├─ 🐍 version_manager.py Python 111L · 3.4 KB

│ └─ 🐍 wechat_parser.py Python 223L · 7.8 KB

├─ 📋 _meta.json JSON 17L · 1.0 KB

├─ 📝 README_EN.md Markdown 116L · 3.7 KB

├─ 📝 README.de.md Markdown 54L · 2.2 KB

├─ 📝 README.es.md Markdown 54L · 2.2 KB

├─ 📝 README.fr.md Markdown 54L · 2.3 KB

├─ 📝 README.ja.md Markdown 54L · 2.4 KB

├─ 📝 README.ko.md Markdown 54L · 2.2 KB

├─ 📝 README.md Markdown 262L · 9.1 KB

├─ 📝 README.ru.md Markdown 54L · 2.8 KB

├─ 📝 README.tr.md Markdown 54L · 2.3 KB

├─ 📄 requirements.txt Text 1L · 14 B

└─ 📝 SKILL.md Markdown 303L · 10.7 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`Pillow`	`>=9.0.0`	pip	No	Minimum version pinned, no upper bound

Security Positives

✓ All external network activity is to api.evolink.ai and fully declared in both SKILL.md and _meta.json

✓ Data transmission is documented: user chat data sent to API for Claude processing, not stored by the service

✓ All Python scripts are straightforward text/media parsers with no obfuscation or hidden functionality

✓ No credential harvesting — EVOLINK_API_KEY is used as a dependency, not exfiltrated

✓ No reverse shells, C2 communication, or data theft patterns found

✓ No base64-encoded execution, eval(), or suspicious shell patterns

✓ File writes are scoped to ./buddies/{slug}/ directory, a controlled output location

✓ Privacy protection stated: data not retained after API response

✓ Security boundaries documented for buddy relationship limits

✓ No sensitive path access (~/.ssh, ~/.aws, .env) found

✓ Generated buddy SKILL.md files use safe templating without dynamic code execution

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives