v1.0.0

Avatar

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:29 AM.

Analysis

The avatar’s purpose is clear, but review it carefully because it exposes a provider API key to the browser, requests OpenClaw operator read/write access, persists a device key, and renders agent output as raw HTML.

GuidanceBefore installing, confirm you are comfortable running a local long-lived avatar server with OpenClaw operator access, browser-exposed Simli credentials, and optional Slack/email forwarding. Prefer a version that sanitizes rendered markdown, pins dependencies, documents the device-key file, and clearly scopes all tokens and gateway permissions.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

src/client/app.ts

detailContentEl.innerHTML = window.marked.parse(detail);

The browser renders agent-generated detail text as HTML without a sanitizer shown in the artifacts, so malicious or poisoned response content could become active page content.

User impactA manipulated response could run code in the local avatar page and potentially call same-origin avatar APIs or read client configuration.

RecommendationEscape raw HTML or use a sanitizer-backed markdown renderer, add a restrictive CSP, and avoid using innerHTML for model-generated content.

Rogue Agents

SeverityLowConfidenceHighStatusNote

src/server.ts

const KEYPAIR_PATH = './device-key.json'; ... writeFileSync(KEYPAIR_PATH, JSON.stringify({ privateDer: privDer.toString('base64'), publicRaw: publicKeyRaw.toString('base64') }))

Startup creates a stable device identity keypair on disk; this is not hidden from the code, but it persists credential-like material across runs.

User impactA local private key file remains after use and may continue identifying the avatar device until deleted or rotated.

RecommendationDocument the file, store it with restrictive permissions, and provide clear rotation/removal instructions.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

package.json

"bin": { "openclaw-avatar": "dist/cli.js" }, ... "simli-client": "latest"

The skill is installed as a global npm CLI and one runtime dependency is unpinned as `latest`, which can change between installs.

User impactFuture installations may execute dependency code different from what was reviewed here.

RecommendationPin runtime dependency versions and publish a lock/shrinkwrap or reproducible release artifact.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

src/client/app.ts

await fetch('/api/send-slack', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ text }) });

The client can send generated detail text to Slack when configured and triggered; this is disclosed and purpose-aligned, but it externalizes potentially sensitive response content.

User impactA response containing private information could be posted to Slack if the user or a configured control triggers forwarding.

RecommendationConfigure Slack targets carefully and review generated detail before forwarding it outside the avatar UI.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

src/config/index.ts

/** Get configuration safe to send to the client (no secrets) */ ... simliApiKey: config.secrets.simliApiKey

A value loaded from SIMLI_API_KEY is explicitly included in the client configuration sent to the browser, despite being treated as a secret in environment configuration.

User impactAnyone able to access the avatar web UI or its local API could obtain and misuse the Simli API key, potentially causing account misuse or usage charges.

RecommendationProxy Simli calls server-side or use short-lived/client-scoped tokens, document any required browser exposure, and restrict the server/API to trusted local access.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

src/server.ts

role: 'operator', scopes: ['operator.read', 'operator.write'], ... auth: { token } ... method: 'chat.send'

The avatar connects to the OpenClaw gateway with operator read/write scopes and optional OPENCLAW_TOKEN, then sends chat requests into the agent session.

User impactThe avatar can drive an OpenClaw agent session; if prompts, Stream Deck actions, or rendered content are misused, downstream skills may access or change data under the user’s authority.

RecommendationDeclare the OpenClaw token and requested scopes in metadata, request the least privilege needed for chat display, and require explicit user confirmation before downstream mutating actions.