Sui Vibe

What to check before installing: - Confirm where you'll run the installer: the repo includes code and an installer (bin/cli.js); prefer reviewing/inspecting the files locally before running any npx install. Do not blindly run 'npx walvis' unless you trust the npm package owner. - Expect to provide an LLM API key (llmApiKey / WALVIS_LLM_API_KEY). The registry claims no env vars, but the CLI and docs require this; ask the author how/where the key is stored (manifest or env) and avoid supplying high-privilege keys (use a scoped/test key if possible). - Be aware the skill will read/write ~/.walvis (manifest, spaces, media) and may upload screenshots and space blobs to walrus-testnet endpoints. If you plan to keep data private, do not run `/walvis sync` or enable uploads until you audit the code and configuration. - The skill instructs the agent to use a real browser tool to open arbitrary URLs and take snapshots — this is necessary for rich bookmarks but increases risk (drive-by content, JS execution, etc.). Run the skill in an isolated environment or container if you have sensitive data or are unsure. - The OpenClaw hook rewrites incoming messages and can auto-save bare URLs — if you do not want automatic behavior, set manifest.autoSave = false and disable fastPath or review the hook before enabling. - Review where the CLI/installer inspects Docker mounts and writes into OpenClaw config (it calls docker inspect / exec). If you run the installer on a machine with Docker, it may detect containers and host paths; verify these operations are acceptable in your environment. - If you want to proceed, audit where credentials are stored (manifest.json, openclaw.json) and prefer testnet/demo keys initially. If unsure, run the web UI locally in dev mode and test with dummy data before connecting your real LLM key or syncing to Walrus.

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.