Claw Body

Before installing or running this skill, consider the following: - It runs a local Node server (node server.mjs) that will read ~/.openclaw/openclaw.json and may use the gateway token it finds to call your OpenClaw Gateway. If you keep sensitive tokens there, be aware the skill reads them (it doesn't appear to exfiltrate them aside from using them against the gateway API, but review the code yourself if you're concerned). - The SKILL.md and server expect you to run a Python presentation parser (claw-presenter/scripts/parse-presentation.py). The package metadata did not list Python as a required binary — install/verify Python if you want presentation features. - When you enter your NuwaAI API Key in the UI, the server saves it to a .nuwa-config.json file under the skill directory in plaintext. If you install this skill, check that file's location and file permissions and delete it when no longer needed. - The skill contains hardcoded demo NuwaAI keys for public demo avatars; those appear intended for a free trial but embedding keys in code is a maintenance/privacy concern. Treat them as public demo keys, not your account keys. - If you need to be extra cautious: inspect server.mjs fully (it is included) to confirm no unexpected network endpoints or obfuscated behavior; run the server on localhost only and restrict network exposure; review and audit the parse-presentation.py script referenced (that script will read files under <workspace>/presentations/ and could access other workspace files depending on its implementation). If you accept these behaviors and restrictions (local server, reading gateway config, storing a NuwaAI key locally), the skill appears coherent for its stated purpose. If you are uncomfortable with storing keys in plaintext or with the skill reading ~/ .openclaw/openclaw.json, do not install or run it until those issues are addressed.

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.