ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Yuzhua (驭爪) - Gesture-Controlled OpenClaw Chat

v1.0.0

Install, start, stop, and health-check Yuzhua (gesture + voice + OpenClaw gateway) with minimal manual setup.

1· 311·0 current·0 all-time
byJuguangyuan@juguangyuan520-dotcom
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the provided scripts and SKILL.md. The skill only implements install, start, stop, and health-check behaviour for a local Yuzhua project and uses expected options (YUZHUA_HOME, YUZHUA_REPO_URL, YUZHUA_API_URL, YUZHUA_PORT). No unrelated credentials or services are requested.
Instruction Scope
SKILL.md and scripts stay within the stated scope: install.sh clones/updates the repo and prepares .env, start.sh execs the project's own start.sh, health_check.sh queries a local HTTP status endpoint, and stop.sh kills processes on the configured port. One important note: start.sh execs the upstream project's start.sh (i.e., arbitrary code from the cloned repo will run), which is outside the skill's own review surface.
Install Mechanism
There is no packaged installer; install.sh clones from a GitHub repo (https://github.com/juguangyuan520-dotcom/Yuzhua.git). Using git+GitHub is common, but the script clones/updates and then relies on the repo's start.sh without verifying commit, tag, or signature. That creates a risk if the remote repo is malicious or compromised.
Credentials
The skill declares no required credentials and only uses optional environment variables for paths, repo URL, API URL, and port. The scripts create a local .env from .env.example when present; this is reasonable for local configuration. There is no built-in exfiltration of .env in the skill itself, but the upstream project's code (run by start.sh) could access or transmit secrets in .env.
Persistence & Privilege
The skill does not request elevated platform privileges, does not set always:true, and does not modify other skills or global agent configs. It performs actions only under the configured YUZHUA_HOME path.
Assessment
This skill is coherent for installing and running a local Yuzhua app, but it clones and executes code from a remote GitHub repository without verifying a commit/tag or signature. Before running: (1) inspect the repository (and the repo's start.sh) to ensure it does what you expect; (2) avoid placing real secrets in .env unless you trust the upstream code; (3) prefer setting YUZHUA_REPO_URL to a vetted fork or a specific commit/tag; (4) run the install/start in a restricted environment (container or VM) if you want to limit risk; (5) ensure git, curl, and lsof are available and review output during install/start. If you cannot review the upstream repo, treat this as higher risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk971288gck9g62j63x3agaph6d82cs8v
311downloads
1stars
1versions
Updated 7h ago
v1.0.0
MIT-0
Juguangyuan@juguangyuan520-dotcom
latest
Download

Yuzhua OpenClaw Skill

Project Introduction

Yuzhua (驭爪) is a lightweight local gesture-driven AI conversation project.

  • Open palm starts recording.
  • Close hand stops recording and sends the request.
  • Speech recognition, VAD, and TTS run locally.
  • Conversation routing is connected through OpenClaw gateway.
  • It is isolated from OpenClaw core runtime and does not modify OpenClaw main process behavior.

GitHub: https://github.com/juguangyuan520-dotcom/Yuzhua

项目简介(中文)

Yuzhua(驭爪)是一个轻量的本地手势驱动 AI 对话项目。

  • 打开手掌开始录音。
  • 合上手掌结束录音并发送请求。
  • 语音识别、VAD、语音播报均在本地执行。
  • 对话请求与回复通过 OpenClaw 网关完成对接。
  • 与 OpenClaw 主运行链路隔离,不影响正在运行的 OpenClaw。

项目地址: https://github.com/juguangyuan520-dotcom/Yuzhua

Purpose

Use this skill when the user wants to:

  • install Yuzhua quickly
  • start Yuzhua locally
  • check whether Yuzhua and OpenClaw gateway are connected
  • stop a running Yuzhua process

This skill is designed for local machines and keeps secrets in .env.

Quick Commands

Run from this skill directory:

./scripts/install.sh
./scripts/start.sh
./scripts/health_check.sh
./scripts/stop.sh

Paths And Environment

  • YUZHUA_HOME: local Yuzhua project path (optional)
  • YUZHUA_REPO_URL: repo to clone when missing (optional)

Defaults:

  • YUZHUA_HOME=~/.openclaw/workspace/apps/Yuzhua
  • YUZHUA_REPO_URL=https://github.com/juguangyuan520-dotcom/Yuzhua.git

What The Scripts Do

  1. install.sh
  • clone or update Yuzhua source
  • ensure start.sh exists and is executable
  • create .env from .env.example when needed
  1. start.sh
  • run Yuzhua's own start.sh
  • print resolved project path
  1. health_check.sh
  • query http://127.0.0.1:8080/api/status
  • show transcriber/gateway/token/session status
  1. stop.sh
  • stop local process on port 8080

Notes

  • Never commit .env or any real keys.
  • For first run, users may still need to fill token values in .env.
  • If Python dependency download fails, it is usually network/SSL/mirror related.

Comments

Loading comments...