Digital Clawatar
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its UNITH avatar-management purpose, but it can permanently delete hosted avatars and tells agents to bypass the delete prompt.
Use this skill only if you trust it to manage your UNITH account. Before deletes or major updates, make the agent repeat the exact head ID and alias and get your explicit approval. Protect UNITH_SECRET_KEY and the local token cache, and upload only documents or webhook conversation data that you are comfortable sending to UNITH or the configured endpoint.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could permanently delete the wrong hosted digital human if the request or head ID is ambiguous, without a final built-in prompt.
The skill explicitly instructs agents to skip the script's interactive confirmation for an irreversible delete action.
bash scripts/delete-head.sh <headId> --confirm # always use --confirm in automated/agent contexts ... This permanently removes the digital human and cannot be undone. ... Agent note: Always pass `--confirm` when calling this script.
Require an explicit user confirmation with the exact head ID and alias before using --confirm, and avoid autonomous deletion based on inferred intent.
Anyone who can read that cache as the same user could reuse the UNITH session token until it expires or is removed.
The auth script caches a bearer token for the UNITH account in a local file so later commands can reuse it.
TOKEN_CACHE="${UNITH_TOKEN_CACHE-/tmp/.unith_token_cache}" ... printf '%s\t%s\t%s\n' "$UNITH_EMAIL" "$TOKEN" "$(date +%s)" > "$TOKEN_CACHE"; chmod 600 "$TOKEN_CACHE"Protect the local account, remove the cache after use if needed, or set UNITH_TOKEN_CACHE to an empty value to disable caching.
Uploaded documents leave the local machine and may be used to answer future user questions through the hosted avatar.
The doc_qa workflow uploads a user-selected local document to UNITH for use as the avatar's knowledge base.
unith_curl -X POST "$API_BASE/document/upload" ... -F "file=@$FILE_PATH" -F "headId=$HEAD_ID"
Upload only documents approved for UNITH processing and review the provider's retention/privacy terms before using sensitive files.
Conversation content may be transmitted to the configured webhook endpoint outside UNITH.
Plugin mode creates a webhook-style data flow from UNITH conversations to a user-provided external conversational engine.
UNITH sends conversation messages to your endpoint and expects text responses.
Use only trusted HTTPS endpoints, authenticate and monitor the webhook, and avoid sending sensitive conversations to unreviewed services.
If copied into a website, the embedded page will run whatever code UNITH serves as the latest widget version.
The embedding example loads the latest remote UNITH widget script rather than a pinned version.
<script src="https://cdn.unith.ai/widget/latest/unith-widget.js"></script>
Review UNITH's widget documentation, pin a version if available, and ensure camera/microphone permissions are appropriate for the site.