vizclaw
ReviewAudited by ClawScan on May 10, 2026.
Overview
VizClaw appears to be a disclosed visualization bridge, but it can send run-event content to VizClaw and suggests running an unpinned remote script.
This skill appears purpose-aligned for live visualization. Before installing or running it, decide whether your run data is safe to share with VizClaw, use overview/hidden mode for sensitive sessions, and be cautious with the direct remote `uv run` command unless you have inspected or pinned the script.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Prompts, tool activity, reports, or other run details could be visible in the VizClaw room if detailed data is streamed.
The skill explicitly bridges run events to a VizClaw live room and indicates query/tool/report text is only redacted in overview/hidden mode, so detailed-mode streams may include sensitive run content.
Use this skill to create a VizClaw room and stream OpenClaw-style events. ... In `overview`/`hidden` mode, query/tool/report text is redacted. ... Do not stream secrets or sensitive data you are not allowed to share.
Use overview/hidden mode for sensitive work, avoid streaming secrets, and confirm who can access the VizClaw room before connecting a run.
If the remote script changes or the hosting source is compromised, a user could run code different from the reviewed package.
The documented command fetches and runs Python from an external URL at runtime without a version pin or checksum in the artifact. This is purpose-aligned and user-directed, but it is a provenance consideration.
Direct script from vizclaw.com: ```bash uv run https://vizclaw.com/skills/vizclaw/scripts/connect.py ```
Prefer the packaged ClawHub-installed script when possible, inspect the remote script before running it, or use a pinned/checksummed release.