ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claw Desktop Pet

v2.0.0

Give OpenClaw a body — a tiny fluid glass ball desktop pet with voice cloning, 15+ eye expressions, desktop lyrics overlay, and 7 mood colors. Electron-based, pure CSS/JS animation.

1· 1.9k·5 current·6 all-time
by@kk43994
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (Electron desktop pet with voice TTS) match the declared requirements (node, npm) and the SKILL.md instructions (git clone, npm install, npm start). Claimed integrations (MiniMax, Edge TTS, OpenClaw gateway) align with the described functionality.
Instruction Scope
The instructions tell the user/agent to clone a GitHub repo and run npm install/start (normal for an Electron app). They also instruct placing a MiniMax API key into pet-config.json (local file). The doc references Feishu/Lark bidirectional sync but does not document credential setup for that integration — missing detail but not necessarily malicious.
Install Mechanism
No formal install spec in the registry (instruction‑only). The SKILL.md relies on cloning from GitHub and running npm install/start; GitHub is a standard host, but npm install will fetch arbitrary dependencies (standard supply‑chain risk).
Credentials
The skill declares no required env vars. The README asks the user to put a MiniMax API key into a local JSON config (not an env var) if they want voice cloning; Feishu/Lark sync is listed but credential requirements are not documented. Requesting a local API key file is proportionate but users should note keys are stored plaintext unless app encrypts them.
Persistence & Privilege
always:false and no unusual persistence flags. App-level auto-restart/monitoring are implementation details of the desktop app and do not request system-wide privileges or modify other skills' configurations.
Assessment
This skill appears to be what it says: an Electron-based desktop pet that you install by cloning a GitHub repo and running npm install/start. Before installing, review the GitHub repository (package.json, postinstall scripts, and main/start scripts) to ensure there are no unexpected actions. Be aware that npm install pulls dependencies from the public registry (supply‑chain risk). If you use MiniMax voice cloning, the SKILL.md asks you to place your API key in pet-config.json — confirm how the app stores that file and avoid placing secrets in plain text if you care about them. For Feishu/Lark sync, ask the maintainer what credentials are required and where they are stored. If possible, run the app in a sandbox/VM or inspect the code first, run npm audit, and limit its network access until you are comfortable with the repository.

Like a lobster shell, security has layers — review code before you run it.

aivk97bbr0k7mash2w81797jhxbwd80r4mfdesktop-petvk97bbr0k7mash2w81797jhxbwd80r4mfelectronvk97bbr0k7mash2w81797jhxbwd80r4mflatestvk97bbr0k7mash2w81797jhxbwd80r4mfopenclawvk97bbr0k7mash2w81797jhxbwd80r4mfttsvk97bbr0k7mash2w81797jhxbwd80r4mfvoice-cloningvk97bbr0k7mash2w81797jhxbwd80r4mf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis
Binsnode, npm

Comments