ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Paw Chat

Install and manage Paw - a standalone web chat frontend for OpenClaw Gateway. Use when the user wants to install Paw, update Paw, or set up a web chat interf...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 18 · 0 current installs · 0 all-time installs
byOri@oriliz
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included assets and scripts (static frontend, start script, install script). Minor inconsistencies: package.json and README advertise a CLI (paw-cli.js) and logo.jpg that are not present in the provided file manifest, and README shows npm-based install commands even though this bundle is provided as static files and an install.sh. These look like documentation/packaging omissions rather than malicious mismatches.
Instruction Scope
SKILL.md instructs copying static files, running ./scripts/install.sh to place files under the OpenClaw UI directory, or running ./assets/start.sh locally. It also tells the user how to obtain the gateway Token from ~/.openclaw/config.yaml — that is relevant to the stated purpose (user-supplied token used to connect to the gateway). The runtime instructions do not ask the agent to read unrelated files, nor to transmit data to third-party endpoints.
Install Mechanism
No automated install spec is declared; this is effectively instruction-only plus scripts included in the bundle. The included scripts are local (scripts/install.sh and assets/start.sh) and copy files to ~/.openclaw/control-ui-static or run a local Python http.server — standard and low-risk. There are no downloads from remote URLs or archive extracts.
Credentials
The skill declares no required environment variables or credentials. The only sensitive item referenced is the OpenClaw gateway token (the UI asks the user to paste the gateway.auth.token from ~/.openclaw/config.yaml) which is appropriate and necessary for connecting to a user's gateway; the install script only accesses $OPENCLAW_HOME or ~/.openclaw to find the UI directory, which is consistent with installing a gateway UI component.
Persistence & Privilege
always is false and the skill does not request any special persistent privileges. The install script writes only into the OpenClaw UI static directory (or creates it) and does not modify other skills or broader agent settings.
Assessment
This package is a static web frontend that connects to whatever OpenClaw Gateway URL and token you enter in the browser UI. Before installing: (1) Inspect scripts/install.sh — it will create/copy files into ~/.openclaw/control-ui-static (or $OPENCLAW_HOME) so confirm that path is correct and OpenClaw is installed. (2) The README/package.json mention a CLI (paw-cli.js) and logo.jpg that are not present in the bundle — this is likely a packaging/documentation mismatch; do not run npm install commands promised in README unless you obtained the official npm package. (3) When connecting the UI, only provide a gateway token to a gateway you trust — the frontend stores the token in browser localStorage and will open a WebSocket to the gateway URL you supply. (4) Running ./assets/start.sh starts a local Python HTTP server and will open your browser; that's standard but check the file if you have strict policies. If you want maximum safety, manually copy the listed assets into your Gateway UI directory rather than running unfamiliar install tooling, and verify the repository/source of this package matches an official OpenClaw release before using in production.
!
assets/paw-app.js:744
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.6
Download zip
latestvk97aepn5tj3tq1xtdawbwfn539830cnk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Paw Chat

🐾 Paw 是 OpenClaw 的独立 Web 聊天前端,零构建工具,零后端 —— 只需静态文件即可通过 WebSocket 连接到任何 OpenClaw Gateway。

功能特性

  • 独立运行:纯静态文件,无需构建,无需后端
  • WebSocket 连接:直接连接到 OpenClaw Gateway
  • 多会话管理:支持切换和管理多个聊天会话
  • Agent 管理:内置 Agent 配置界面(身份、性格、用户信息、定时任务)
  • 图片支持:支持粘贴、拖拽、上传图片
  • Markdown 渲染:完整的 Markdown 支持,包括代码高亮
  • 工具调用展示:实时显示工具调用过程和结果
  • 主题切换:支持深色/浅色模式

安装方式

方式一:安装到 OpenClaw Gateway(推荐)

将 Paw 安装到 Gateway 的 control-ui-static 目录,直接通过 Gateway 访问:

# 运行安装脚本
./scripts/install.sh

安装后访问:https://<gateway-host>:<port>/<basePath>/chat.html

方式二:本地启动

# 进入 assets 目录
cd assets

# macOS / Linux
./start.sh

# Windows
start.bat

默认端口:18790

访问:http://localhost:18790

方式三:手动部署

# 复制文件到任意 Web 服务器
cp assets/index.html /var/www/html/chat.html
cp assets/paw-app.js assets/marked.min.js assets/highlight.min.js assets/github-dark.min.css assets/logo.jpg /var/www/html/

首次使用

  1. 打开 Paw 页面
  2. 点击右上角 ⚙ 设置
  3. 填写:
    • Gateway URL: wss://<your-gateway-host>:<port>
    • Token: 从 ~/.openclaw/config.yaml 获取 gateway.auth.token
  4. 点击 连接

文件结构

assets/
├── index.html          # 主页面
├── paw-app.js          # 核心逻辑
├── marked.min.js       # Markdown 解析器
├── highlight.min.js    # 代码高亮
├── github-dark.min.css # 代码主题
├── logo.jpg            # Paw Logo
├── start.sh            # macOS/Linux 启动脚本
└── start.bat           # Windows 启动脚本

更新 Paw

重新运行安装脚本即可更新:

./scripts/install.sh

卸载

删除 Gateway 目录中的文件:

rm -f ~/.openclaw/control-ui-static/chat.html
rm -f ~/.openclaw/control-ui-static/paw-app.js
rm -f ~/.openclaw/control-ui-static/marked.min.js
rm -f ~/.openclaw/control-ui-static/highlight.min.js
rm -f ~/.openclaw/control-ui-static/github-dark.min.css
rm -f ~/.openclaw/control-ui-static/logo.jpg

Files

10 total
Select a file
Select a file to preview.

Comments

Loading comments…