Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawface

v0.0.3

Start the Clawface 3D avatar web UI — serves a local web page the user opens in their browser

⭐ 0· 93·1 current·1 all-time

by@nmfisher

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The code and SKILL.md implement a local HTTP server + a WebSocket proxy that authenticates to an upstream gateway (signing with a device private key) and calls a local sherpa-onnx TTS runtime. Those capabilities align with a '3D avatar web UI with TTS' purpose. However the registry metadata declares no required environment variables/credentials while the runtime expects a gateway token and a device identity file; that mismatch is notable.

ℹ

Instruction Scope

SKILL.md explicitly instructs running node bin/serve.js with --gateway-token (OPENCLAW_GATEWAY_TOKEN), --identity-file (device.json), and other args. Those instructions stay within the stated purpose (authenticating to a gateway and serving assets), and the code claims credentials remain server-side. Still, the instructions require reading a device private key file and using it to sign gateway challenges — a sensitive operation that should only be done if the gateway is trusted. SKILL.md references environment variables (OPENCLAW_GATEWAY_TOKEN / OPENCLAW_GATEWAY_PORT) that are not listed in the skill's declared requirements.

ℹ

Install Mechanism

The skill's metadata includes download/install entries that fetch sherpa-onnx runtime and a TTS model from GitHub releases and extract them into ~/.openclaw/tools/clawface. Downloading from GitHub releases is a reasonable choice for native runtimes, but extract:true means native binaries/libs will be written to disk — this increases risk compared to an instruction-only skill and is worth auditing (verify checksums/source).

Credentials

The skill requests no env vars in registry metadata, yet SKILL.md and serve.js rely on a gateway token (OPENCLAW_GATEWAY_TOKEN / argument --gateway-token), possibly OPENCLAW_GATEWAY_PORT, and an identity file containing a private key. These are sensitive credentials. Not declaring them in the metadata is a mismatch that obscures the degree of credential access required. Requiring a device private key and gateway token is plausible for the stated function, but the omission in metadata is a red flag.

✓

Persistence & Privilege

always:false (no forced permanent inclusion) and the skill does not request system-wide privileges. It will write runtime/model files under ~/.openclaw/tools/clawface per its install entries and run a local Node server. This level of presence is expected for a local media/TTS component.

What to consider before installing

Summary of what to consider before installing: - Credential expectations: SKILL.md and bin/serve.js require a gateway token and a device identity file (private key) but the skill metadata does not declare those env vars — you will need to provide sensitive credentials (OPENCLAW_GATEWAY_TOKEN and a device.json containing privateKeyPem) for the proxy to work. Only provide those if you fully trust the gateway URL and the skill source. - Review the code: serve.js reads and signs with your private key and proxies WebSocket messages to the browser. This is necessary for the gateway auth flow, but it means the skill can forward any messages between your browser and the gateway. Inspect serve.js yourself or trust the publisher before running. - Downloads and native binaries: the install step downloads and extracts a sherpa-onnx runtime and a voice model from GitHub releases. This is expected for local TTS, but because native binaries are written to disk you should verify the source and checksums if possible. - Operational caution: run the server only on localhost and ensure the gateway URL you pass is the legitimate one. If you do not control or trust the gateway, do not provide your device private key or token. Consider running the server in a sandbox or reviewing/limiting network access when testing. If you want a safer posture before installing: ask the publisher to update the skill metadata to declare required credentials (primaryEnv), provide checksums for downloads, and publish a homepage / source repo for independent review.

✗

bin/serve.js:465

Shell command execution detected (child_process).

✗

dist/thermion_dart.js:1

Dynamic code execution detected.

bin/serve.js:41

File read combined with network send (possible exfiltration).

dist/thermion_dart.js:1

File read combined with network send (possible exfiltration).

Patterns worth reviewing

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973bz6ymt300cshfmbrhph9ad83azgm

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐾 Clawdis

OSmacOS · Linux

Binsnode

Clawface

License

Runtime requirements

Comments