Claw Desktop Pet - Enterprise-grade 7x24 AI Assistant
PassAudited by ClawScan on May 1, 2026.
Overview
The provided artifacts describe a coherent desktop assistant setup, with no evidence of hidden malicious behavior, but users should review the external code and understand its long-running local bridge behavior before running it.
Before installing, verify that you trust the referenced GitHub repository and its npm/pip dependencies, run it without administrator privileges where possible, keep the local bridge private to your machine, and make sure you know how to stop the app or disable auto-restart.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running these commands can execute code from the GitHub repository and installed npm/pip dependencies on the user's machine.
The skill asks the user to fetch and run external Node/Python project code and dependencies rather than installing reviewed code included in the artifact package.
git clone https://github.com/kk43994/claw-desktop-pet.git ... npm install ... pip install edge-tts ... npm start
Review the referenced repository and dependency manifests before running it; install from a normal user account and avoid elevated privileges unless clearly needed.
The app may continue running or restart during normal use, which can affect resources and user expectations.
The desktop assistant is designed to keep running and automatically recover after crashes. This is clearly disclosed and aligned with the advertised 24/7 assistant purpose.
崩溃后自动恢复 ... 真正7×24运行 ... 重启计数和统计
Confirm how to stop the app, review its logs, and disable auto-restart if continuous operation is not desired.
Messages and status data may pass through a local bridge; if exposed beyond localhost or misconfigured, other local processes could potentially interact with it.
The artifacts describe a local OpenClaw bridge and localhost health endpoint used for communication between OpenClaw and the desktop app.
const OPENCLAW_PORT = 18788 ... fetch('http://localhost:18788/health') ... desktop-bridge.js agent-responseKeep the bridge bound to localhost, avoid exposing the port to the network, and review the bridge code before sending sensitive messages through it.