Is humanji7/solobuddy safe?

https://github.com/openclaw/skills/tree/main/skills/humanji7/solobuddy

78
CAUTION

SoloBuddy is a build-in-public companion skill with legitimate stated functionality for indie hackers managing content workflows, Twitter engagement, and project journaling. The skill is not overtly malicious but carries meaningful risk from three sources: a macOS LaunchAgent persistence mechanism for background Twitter monitoring, a custom voice file feature that acts as a persistent prompt injection vector, and an arbitrary path file enumeration capability in the Soul Wizard. The provenance chain shows inconsistencies across three GitHub repositories (gHashTag/bip-buddy, clawdbot/skills, openclaw/skills) that reduce supply-chain confidence.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 73/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (10)

HIGH macOS LaunchAgent persistence mechanism -15

The twitter-monitor module instructs the agent to install a LaunchAgent plist at ~/Library/LaunchAgents/com.clawdbot.twitter-monitor.plist. This creates a persistent background process that survives reboots and runs without active user session, operating outside normal agent interaction scope.

HIGH Arbitrary filesystem enumeration via Soul Wizard -12

The soul wizard feature accepts a user-provided path and executes find <path> -name '*.md' -type f | head -20 to scan all markdown files. With no path sanitization documented, this could enumerate and read files from any accessible directory on the system.

HIGH Agent persona override via embedded system prompt -10

The skill includes prompts/system.md which redefines the agent's identity, philosophy, and behavioral constraints. When loaded, this overrides the host agent's default system instructions with SoloBuddy-specific directives including explicit 'Bad Examples (Never Do This)' that suppress normal agent reporting behavior.

MEDIUM User-writable voice file is a prompt injection vector -5

The 'custom' voice profile reads agent behavioral instructions from {dataPath}/voice.md, a file in the user-controlled data directory. If this path is writable by an attacker or the file contains malicious instructions, every content generation request will inject those instructions into the agent context.

MEDIUM Plaintext Twitter credentials stored in ~/.zshrc -8

The twitter monitor instructs users to store Twitter session tokens (AUTH_TOKEN, CT0) as plaintext environment variables in ~/.zshrc. These are long-lived session credentials that provide full Twitter account access and persist in a broadly readable shell configuration file.

MEDIUM External scripts installed outside skill directory -5

The skill references twitter-monitor.sh and twitter-analyze.sh being installed to ~/.clawdbot/scripts/. These scripts are not included in the skill package and cannot be audited at install time, creating a trust gap for code that will execute on a persistent schedule.

MEDIUM First-person creator voice blurs agent/user boundary -5

The content generation prompt explicitly instructs the agent to write 'as if YOU are the creator' in first person. This persona adoption could cause the agent to misrepresent its outputs as coming from the user in social media contexts, enabling impersonation.

LOW User content transmitted to external Telegram and Twitter services -7

The skill's core function involves sending user content to Telegram via the clawdbot messaging API and posting to Twitter via the bird CLI. While this is the stated purpose, all user ideas, drafts, and project activity data traverse external services.

LOW Unverified provenance chain across three repositories -10

The skill's homepage references github.com/gHashTag/bip-buddy, its install source is openclaw/skills, and the _meta.json commit URL references github.com/clawdbot/skills. Three distinct repository origins without clear attribution chain reduces trust in the skill's supply chain.

INFO Canary files accessed twice during audit period -8

Audit logs show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials were opened at timestamps 1771935981 (pre-clone) and 1771935999 (post-install). File access pattern and timing are consistent with oathe audit infrastructure performing setup and integrity verification, not skill code execution. Files were not modified.