LiveAvatar
PassAudited by ClawScan on May 1, 2026.
Overview
LiveAvatar is a coherent voice/video avatar integration, but users should understand it runs an npm package and sends microphone conversation data through LiveAvatar and the local OpenClaw Gateway.
This looks like a purpose-aligned avatar interface. Before installing, make sure you trust the npm package and LiveAvatar service, and remember that voice conversations may be transcribed and sent through the avatar and agent pipeline.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill will rely on third-party package code to run the avatar interface.
The runtime is provided by an npm package rather than code included in the artifact set. This is expected for the skill's purpose, but users are trusting the package source.
node | package: openclaw-liveavatar | creates binaries: openclaw-liveavatar
Install only if you trust the `openclaw-liveavatar` npm package and its linked project source.
The LiveAvatar service will be accessed using the user's API key.
The skill requires a LiveAvatar API key. This is purpose-aligned and disclosed, with no artifact evidence of hardcoding, logging, or unrelated credential use.
export LIVEAVATAR_API_KEY=your_api_key_here
Use a dedicated LiveAvatar key where possible and revoke it if you stop using the integration.
Anything spoken to the avatar may be processed as transcription and passed into the OpenClaw agent flow.
The skill discloses that spoken user input is transcribed by LiveAvatar and then sent to the local OpenClaw Gateway. This data flow is central to the product, but it involves sensitive conversation content.
LiveAvatar converts speech to text ... Text sent to OpenClaw Gateway (port 18789)
Avoid speaking secrets or highly sensitive information unless you are comfortable with the LiveAvatar and OpenClaw Gateway data flow.