ClawHub

LiveAvatar

v1.0.1

Talk face-to-face with your OpenClaw agent using a real-time video avatar powered by LiveAvatar

9· 2.2k·7 current·7 all-time
by@ennno
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (node, npm), required env var (LIVEAVATAR_API_KEY), and the declared npm package (openclaw-liveavatar) are all consistent with providing a real‑time avatar frontend that uses LiveAvatar's service.
Instruction Scope
SKILL.md stays within the stated purpose: it checks for LIVEAVATAR_API_KEY, instructs the user to run the avatar (npx openclaw-liveavatar), and explains the local OpenClaw Gateway connection (port 18789) and localhost UI (http://localhost:3001). Be aware the instructions tell you to run npx which will fetch/execute code from npm at runtime; the doc does not request unrelated files, env vars, or system credentials.
Install Mechanism
The install uses an npm package (openclaw-liveavatar) which is a common mechanism but carries supply‑chain risk: npx/install will execute package code from the public registry. The SKILL.md includes a GitHub link to the project's repo, which helps auditability, but the manifest does not pin a specific package version.
Credentials
Only LIVEAVATAR_API_KEY is required which is appropriate for a third‑party avatar service. No unrelated credentials or config paths are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It runs a local server and connects to the local OpenClaw Gateway as expected; there is no indication it modifies other skills or system-wide settings.
Assessment
This skill appears coherent with its stated purpose, but take these precautions before installing: - Review the npm package source (https://github.com/eNNNo/openclaw-liveavatar) or the published package contents before running npx to ensure no unexpected behavior. - Prefer installing a pinned package version (npm install openclaw-liveavatar@<version>) rather than always running npx on the latest tag. - Be aware audio and transcriptions are sent to LiveAvatar and your OpenClaw Gateway; avoid using sensitive voice data unless you trust those services and their privacy policies. - Store the LIVEAVATAR_API_KEY in a secure place (not a world-readable file); avoid exporting secrets in shared shells. - The skill launches a local web UI (http://localhost:3001) — ensure you only run it on trusted networks and close the session when finished. If you cannot or will not review the package code, treat the runtime npm install as a potential risk and consider declining installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk971gfmxw7nr37f839f381wt2580crfy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎭 Clawdis
Binsnode, npm
EnvLIVEAVATAR_API_KEY

Install

Install LiveAvatar (npm)
Bins: openclaw-liveavatar
npm i -g openclaw-liveavatar

Comments