LiveAvatar

Security checks across malware telemetry and agentic risk

Overview

This is a coherent LiveAvatar integration that discloses its microphone, API key, npm package, and local gateway requirements, with privacy considerations users should understand.

Install only if you trust the LiveAvatar service and the openclaw-liveavatar npm package. Treat spoken input as potentially sensitive because voice may be transcribed and passed through the avatar and agent flow; avoid saying secrets unless you accept that data handling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly captures microphone input and sends speech to LiveAvatar for transcription and avatar processing, but it does not prominently warn users that their voice data leaves the local system and is handled by an external service. This can lead to uninformed disclosure of sensitive spoken information, especially because the skill presents the feature as a natural conversational interface without a clear privacy notice.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal