Skillv0.2.1

ClawScan security

Avatar Runtime · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 1:09 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent for running an avatar runtime: it instructs the agent to fetch and run an npm package (via npx) and exposes control endpoints; the main risks are expected (remote code execution via npx, third‑party asset downloads, and optional API keys) but they align with the stated purpose.
Guidance: This skill is coherent for embedding a virtual avatar, but it executes remote npm code at runtime and will download assets. Before installing or running it: 1) Inspect the referenced repository (https://github.com/acnlabs/avatar-runtime) and pin a specific, audited package version instead of running unpinned npx in production; 2) Run npx avatar-runtime and the sample scripts in an isolated sandbox/container and monitor outbound network connections; 3) Do not provide production API keys—use scoped or test keys, and avoid exposing secrets to the runtime process; 4) Review any setup scripts (ensure-default-*.sh) to see what they download and from where; 5) If you must deploy, vendor the package (install from a known lockfile or build artifacts) rather than relying on live npx fetch; 6) Note Live2D license restrictions on sample models and avoid redistributing those assets in production.

Review Dimensions

Purpose & Capability: okName and description match the instructions: the skill is explicitly an instruction-only wrapper that runs the avatar-runtime npm package via npx and exposes a local HTTP session/control API. Declared runtime requirements (node >= 18, npm, curl, internet access for npx) and optional provider env vars (Live2D, VRM, HeyGen, KusaPics) are coherent with an avatar/renderer integration.
Instruction Scope: noteThe SKILL.md tells the agent/operator to run npx avatar-runtime and provides scripts that download third‑party assets (ensure-default-*.sh). That behavior is expected for a runtime that can load models, but it means the agent will execute remote package code and fetch assets at runtime. The doc correctly warns about inspecting scripts and sandboxing; treat npx execution and asset downloads as sensitive actions (they may perform arbitrary network activity and could access any env vars exposed to the process).
Install Mechanism: noteThere is no install spec; the skill relies on npx to retrieve and execute code from the npm registry at runtime. npx is a common but higher-risk mechanism because it pulls remote code on first run. The SKILL.md points to a GitHub repo to verify, but the runtime still requires internet to fetch packages and assets, so validate and pin the package source/version before trusting it in production.
Credentials: noteNo required env vars are declared; several optional env vars are listed (HEYGEN_API_KEY, KUSAPICS_API_KEY, provider endpoints, etc.) which are plausible for provider integrations. The SKILL.md states these keys are passed to the npx process and warns about logging/exposure — this is appropriate. Users should avoid supplying sensitive production credentials to unverified remote code and should scope keys to least privilege or use dedicated test keys.
Persistence & Privilege: okThe skill is not always-enabled and is user-invocable. It does not request to change other skills or system-wide config. There is no indication it tries to persist itself beyond running npx or to modify agent-wide settings.