Back to skill
Skillv0.2.0
ClawScan security
Clawatar · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 6:22 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions mostly match an avatar viewer, but its registry metadata omits required credential/config details and it tells the agent to clone + npm install unvetted code and to store an API key in a shared config — these mismatches and the install pattern are worth caution.
- Guidance
- This skill appears to do what it says (a local web-based VRM viewer with TTS), but there are several red flags you should address before installing: 1) The registry metadata omits that an ELEVENLABS_API_KEY and a config path (~/.openclaw/openclaw.json) are used — ask the publisher to update metadata. 2) The runtime requires git clone + npm install + npm run start of a third-party GitHub repo; inspect that repo, especially package.json and any npm scripts, before running. 3) Prefer providing ELEVENLABS_API_KEY via environment variable (ELEVENLABS_API_KEY) rather than writing it into a shared ~/.openclaw config; if you must store it, review who/what can read that file. 4) Run the viewer in an isolated environment (container or VM) if you cannot fully vet the code. 5) Verify licensing for Mixamo assets and confirm the GitHub repo's trustworthiness (owner, commit history, issues). If you want, ask the skill author for a homepage, signed release, or a minimal install payload (e.g., packaged release) rather than running npm install from master.
Review Dimensions
- Purpose & Capability
- noteThe declared purpose (3D VRM avatar with TTS/lip-sync) aligns with the runtime instructions (git clone a viewer, run npm, open local web + WebSocket). However the registry metadata lists no required env vars or config paths while SKILL.md explicitly requires an ELEVENLABS_API_KEY and references ~/.openclaw/openclaw.json — this mismatch is unexpected.
- Instruction Scope
- concernSKILL.md instructs cloning a GitHub repo, running npm install and npm run start (which will download and execute third-party JS), opening local ports, and optionally reading/storing an ElevenLabs API key in ~/.openclaw/openclaw.json under skills.entries.sag.apiKey. The instruction to persist a credential in a global config and the mismatch of the config key name (sag.apiKey) are scope-creep and potentially surprising to users.
- Install Mechanism
- concernThere is no formal install spec in the registry; instead SKILL.md tells the agent/user to git clone https://github.com/Dongping-Chen/Clawatar and run npm install/start. That causes arbitrary code from a third-party repo and npm packages to be installed and executed on the host — normal for this functionality but a material risk unless the repo and package.json/scripts are reviewed.
- Credentials
- concernRequesting an ElevenLabs API key is proportional for TTS. But the registry incorrectly declares no env vars, and SKILL.md suggests storing the key either in the environment (ELEVENLABS_API_KEY) or in a shared ~/.openclaw/openclaw.json under a non-obvious key (skills.entries.sag.apiKey). Asking to persist credentials in a global/shared config without declaring it is concerning.
- Persistence & Privilege
- concernalways:false (ok) and autonomous invocation is default (not by itself alarming). However the guidance to place an API key into the global OpenClaw config (which could be read by other skills) increases the blast radius for credential exposure. The skill also writes into ~/.openclaw/workspace/clawatar which is a persistent workspace location.