Buddy Skill Creator 安全扫描报告 — 可信 | ClawSafe

5 /100

Buddy Skill Creator

Distill your ideal buddy into an AI Skill. Import chat history, photos, social media posts, or just describe your dream buddy — generate Vibe Memory + Persona with continuous evolution.

A legitimate persona-extraction skill that parses local chat/media files and sends user data to a declared external AI API for analysis. No malicious behavior detected.

技能名称Buddy Skill Creator

分析耗时44.1s

引擎pi

✓

可以安装

No action required. The skill's behavior aligns with its documentation. Users should be aware that their chat data and media are sent to api.evolink.ai for AI processing when the optional EVOLINK_API_KEY is configured.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned dependency version 供应链 requirements.txt specifies Pillow>=9.0.0 without an upper version limit. While no malicious behavior is present, version upper bounds are a security best practice. `Pillow>=9.0.0` → Pin to a known-safe range: Pillow>=9.0.0,<10.3.0	`requirements.txt:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	Write/Edit tools used to write buddy skill files to ./buddies/{slug}/ — declared…
文件系统	`READ`	`READ`	✓ 一致	Read tool used to read user-uploaded files (photos, PDFs, text) — declared in SK…
命令执行	`WRITE`	`WRITE`	✓ 一致	Bash tool used to run python3 scripts for parsing — declared in SKILL.md and imp…
网络访问	`READ`	`READ`	✓ 一致	curl POST to api.evolink.ai for AI analysis — declared in SKILL.md and _meta.jso…
环境变量	`READ`	`NONE`	✓ 一致	SKILL.md references $EVOLINK_API_KEY and $EVOLINK_MODEL env vars but does not re…
技能调用	`READ`	`READ`	✓ 一致	Skill invokes EvoLink API and generates new SKILL.md files for buddy personas — …
剪贴板	`NONE`	`NONE`	—	No clipboard access found
浏览器	`NONE`	`NONE`	—	No browser access found
数据库	`NONE`	`NONE`	—	No direct database access; wechat_parser.py supports PyWxDump SQLite parsing but…

16 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README.de.md:5

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/Powered%20by-EvoLink-blue

README.de.md:6

🔗

中危外部 URL 外部 URL

https://evolink.ai?utm_source=github&utm_medium=skill&utm_campaign=buddy

README.de.md:6

🔗

中危外部 URL 外部 URL

https://evolink.ai/signup?utm_source=github&utm_medium=skill&utm_campaign=buddy

README.de.md:23

🔗

中危外部 URL 外部 URL

https://clawhub.ai/evolinkai/buddy-skill-creator

README.de.md:50

🔗

中危外部 URL 外部 URL

https://docs.evolink.ai/en/api-manual/language-series/claude/claude-messages-api?utm_source=github&utm_medium=skill&utm_...

README.de.md:51

🔗

中危外部 URL 外部 URL

https://discord.com/invite/5mGHfA24kn

README.de.md:52

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/Python-3.9%2B-blue.svg

README.md:8

🔗

中危外部 URL 外部 URL

https://python.org

README.md:8

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/Claude%20Code-Skill-blueviolet

README.md:9

🔗

中危外部 URL 外部 URL

https://claude.ai/code

README.md:9

🔗

中危外部 URL 外部 URL

https://docs.evolink.ai/en/api-manual/language-series/claude/claude-messages-api?utm_source=clawhub&utm_medium=skill&utm...

SKILL.md:20

🔗

中危外部 URL 外部 URL

https://evolink.ai/signup

SKILL.md:71

🔗

中危外部 URL 外部 URL

https://api.evolink.ai/v1/messages

SKILL.md:98

🔗

中危外部 URL 外部 URL

https://docs.evolink.ai/en/api-manual/language-series/claude/claude-messages-api

docs/PRD.md:8

📧

提示邮箱邮箱地址

[email protected]

README.md:246

目录结构

26 文件 · 92.2 KB · 2676 行

Markdown 18f · 1835L Python 6f · 823L JSON 1f · 17L Text 1f · 1L

├─ ▾ 📁 docs

│ └─ 📝 PRD.md Markdown 134L · 4.8 KB

├─ ▾ 📁 prompts

│ ├─ 📝 correction_handler.md Markdown 57L · 1.7 KB

│ ├─ 📝 intake.md Markdown 111L · 3.1 KB

│ ├─ 📝 merger.md Markdown 45L · 1.4 KB

│ ├─ 📝 persona_analyzer.md Markdown 87L · 4.7 KB

│ ├─ 📝 persona_builder.md Markdown 132L · 3.8 KB

│ ├─ 📝 vibe_analyzer.md Markdown 90L · 2.8 KB

│ └─ 📝 vibe_builder.md Markdown 120L · 2.2 KB

├─ ▾ 📁 tools

│ ├─ 🐍 photo_analyzer.py Python 129L · 4.1 KB

│ ├─ 🐍 qq_parser.py Python 107L · 3.5 KB

│ ├─ 🐍 skill_writer.py Python 170L · 5.2 KB

│ ├─ 🐍 social_parser.py Python 83L · 2.8 KB

│ ├─ 🐍 version_manager.py Python 111L · 3.4 KB

│ └─ 🐍 wechat_parser.py Python 223L · 7.8 KB

├─ 📋 _meta.json JSON 17L · 1.0 KB

├─ 📝 README_EN.md Markdown 116L · 3.7 KB

├─ 📝 README.de.md Markdown 54L · 2.2 KB

├─ 📝 README.es.md Markdown 54L · 2.2 KB

├─ 📝 README.fr.md Markdown 54L · 2.3 KB

├─ 📝 README.ja.md Markdown 54L · 2.4 KB

├─ 📝 README.ko.md Markdown 54L · 2.2 KB

├─ 📝 README.md Markdown 262L · 9.1 KB

├─ 📝 README.ru.md Markdown 54L · 2.8 KB

├─ 📝 README.tr.md Markdown 54L · 2.3 KB

├─ 📄 requirements.txt Text 1L · 14 B

└─ 📝 SKILL.md Markdown 303L · 10.7 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`Pillow`	`>=9.0.0`	pip	否	Minimum version pinned, no upper bound

安全亮点

✓ All external network activity is to api.evolink.ai and fully declared in both SKILL.md and _meta.json

✓ Data transmission is documented: user chat data sent to API for Claude processing, not stored by the service

✓ All Python scripts are straightforward text/media parsers with no obfuscation or hidden functionality

✓ No credential harvesting — EVOLINK_API_KEY is used as a dependency, not exfiltrated

✓ No reverse shells, C2 communication, or data theft patterns found

✓ No base64-encoded execution, eval(), or suspicious shell patterns

✓ File writes are scoped to ./buddies/{slug}/ directory, a controlled output location

✓ Privacy protection stated: data not retained after API response

✓ Security boundaries documented for buddy relationship limits

✓ No sensitive path access (~/.ssh, ~/.aws, .env) found

✓ Generated buddy SKILL.md files use safe templating without dynamic code execution