LiveAvatar
Analysis
LiveAvatar is a coherent voice/video avatar integration, but users should understand it runs an npm package and sends microphone conversation data through LiveAvatar and the local OpenClaw Gateway.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
node | package: openclaw-liveavatar | creates binaries: openclaw-liveavatar
The runtime is provided by an npm package rather than code included in the artifact set. This is expected for the skill's purpose, but users are trusting the package source.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
export LIVEAVATAR_API_KEY=your_api_key_here
The skill requires a LiveAvatar API key. This is purpose-aligned and disclosed, with no artifact evidence of hardcoding, logging, or unrelated credential use.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
LiveAvatar converts speech to text ... Text sent to OpenClaw Gateway (port 18789)
The skill discloses that spoken user input is transcribed by LiveAvatar and then sent to the local OpenClaw Gateway. This data flow is central to the product, but it involves sensitive conversation content.