ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Even G2 Bridge

Connect Even Realities G2 smart glasses to OpenClaw via Cloudflare Worker. Deploys a bridge that routes G2 voice commands to your OpenClaw Gateway — same age...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 179 · 0 current installs · 0 all-time installs
byJu Chun Ko@dAAAb
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code and SKILL.md align with the stated purpose: a Cloudflare Worker proxies G2 requests to an OpenClaw Gateway and optionally calls Anthropic, OpenAI, and Telegram. However registry metadata lists no required environment variables or binaries while SKILL.md and worker.js require several secrets (GATEWAY_URL, GATEWAY_TOKEN, G2_TOKEN, ANTHROPIC_API_KEY, etc.). That mismatch between registry metadata and the skill's own instructions is incoherent and should be corrected.
Instruction Scope
SKILL.md instructions are specific and limited to deploying a Cloudflare Worker, setting worker secrets, and configuring the OpenClaw Gateway and G2 app. The instructions direct traffic only to the Gateway, Anthropic, OpenAI, and Telegram — all services documented in the skill. A minor scope discrepancy: SKILL.md instructs installing and using the 'wrangler' CLI (npm), but the registry metadata does not declare any required binaries.
Install Mechanism
This is an instruction-only skill with an included worker.js file (no install spec). There are no downloads from arbitrary URLs or obscure installers. The explicit instruction to npm install -g wrangler is reasonable for deploying Cloudflare Workers but should have been declared as an expected binary in the registry metadata.
!
Credentials
The worker expects several secrets appropriate for its function (gateway URL/token, G2_TOKEN, optional Telegram/OpenAI). Two issues raise concern: (1) SKILL.md marks ANTHROPIC_API_KEY as required even though it is only a fallback — requiring a third-party API key for basic operation is disproportionate; (2) the code enforces G2 authentication only if env.G2_TOKEN is present (it checks 'if (env.G2_TOKEN) { require auth }'), meaning a deployed worker without G2_TOKEN would accept unauthenticated requests and simply forward them to the Gateway (if gateway token present). Combined with the registry metadata claiming no required env vars, this creates potential for misconfiguration and unintended exposure.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-wide privileges. It uses Cloudflare Worker background tasks (ctx.waitUntil) for long work, which is normal. It does not attempt to modify other skills or agent config files.
What to consider before installing
Before installing or deploying: - Treat the registry metadata as incomplete: SKILL.md and worker.js require secrets (GATEWAY_URL, GATEWAY_TOKEN, G2_TOKEN, ANTHROPIC_API_KEY) even though the registry entry lists none. Confirm the seller/author and correct metadata before proceeding. - Do not deploy the Worker without setting G2_TOKEN. The code will only enforce request auth if G2_TOKEN is present; leaving it unset could let anyone call your worker which (if GATEWAY_TOKEN is set) will forward requests to your Gateway. Always set a G2_TOKEN and a scoped GATEWAY_TOKEN. - Review why ANTHROPIC_API_KEY is marked required in SKILL.md: it is used as a fallback when the Gateway is unreachable and could reasonably be optional. If you don't want third-party fallbacks, omit/clear that secret and adjust the code. - Use a least-privilege Gateway token (scoped, limited TTL) for the Worker; verify the Worker never returns or leaks GATEWAY_TOKEN in responses/logs. - If you enable image or Telegram features, be aware those services will receive user content (OpenAI, Telegram). Confirm you accept that behavior and that privacy policies are appropriate. - Confirm the author/source (SKILL.md claims a GitHub repo). If the repository is available, review it and compare versions. If the source is unknown, treat the skill as higher risk. If these issues (metadata mismatch, mandatory Anthropic key, auth-enforcement behavior) are clarified and fixed, the skill's behavior is coherent for its purpose; until then, consider this suspicious and proceed cautiously.

Like a lobster shell, security has layers — review code before you run it.

Current versionv5.2.0
Download zip
cloudflare-workersvk971n17cpmjc517kwwvh54jq7h82gm87even-realitiesvk971n17cpmjc517kwwvh54jq7h82gm87g2vk971n17cpmjc517kwwvh54jq7h82gm87latestvk971n17cpmjc517kwwvh54jq7h82gm87smart-glassesvk971n17cpmjc517kwwvh54jq7h82gm87voicevk971n17cpmjc517kwwvh54jq7h82gm87wearablevk971n17cpmjc517kwwvh54jq7h82gm87

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Even Realities G2 × OpenClaw Bridge

Deploy a Cloudflare Worker that connects Even Realities G2 smart glasses to your OpenClaw Gateway.

What It Does

G2 Glasses → (voice→text) → CF Worker → OpenClaw Gateway → Full Agent
                                ↓                              ↓
                          G2 display (text)            Telegram (rich content)
  • Short tasks (chat, questions): Gateway responds → displayed on G2
  • Long tasks (write code, articles): G2 shows "Working on it..." → result sent to Telegram
  • Image generation: DALL-E generates → sent to Telegram (G2 can't show images)
  • Fallback: If Gateway is down, falls back to direct Claude API

Prerequisites

  1. Even Realities G2 glasses with Even app (v0.0.7+ with "Add Agent" support)
  2. OpenClaw Gateway with HTTP API enabled
  3. Cloudflare account (free plan works)
  4. Anthropic API key (fallback)
  5. Optional: OpenAI API key (image gen), Telegram bot token (rich content delivery)

Setup

1. Enable OpenClaw Gateway HTTP API

On your OpenClaw host, enable the chat completions endpoint:

openclaw config set gateway.http.endpoints.chatCompletions.enabled true
openclaw gateway restart

Verify:

curl -X POST https://YOUR_GATEWAY_URL/v1/chat/completions \
  -H "Authorization: Bearer YOUR_GATEWAY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"model":"openclaw","messages":[{"role":"user","content":"hi"}]}'

2. Deploy Cloudflare Worker

Copy scripts/worker.js to your project, then deploy:

# Install wrangler
npm install -g wrangler

# Login to Cloudflare
wrangler login

# Deploy
wrangler deploy

Or use the Cloudflare Dashboard: Workers & Pages → Create → Upload worker.js.

3. Set Secrets

# Required
wrangler secret put GATEWAY_URL      # Your OpenClaw Gateway URL
wrangler secret put GATEWAY_TOKEN    # Your Gateway auth token
wrangler secret put G2_TOKEN         # Token for G2 glasses auth (you choose)
wrangler secret put ANTHROPIC_API_KEY # Fallback when Gateway is down

# Optional (for Telegram delivery of rich content)
wrangler secret put TELEGRAM_BOT_TOKEN
wrangler secret put TELEGRAM_CHAT_ID

# Optional (for image generation)
wrangler secret put OPENAI_API_KEY

4. Configure G2 Glasses

In Even app → Settings → Add Agent:

  • Name: Your agent name (e.g., "Cloud Lobster")
  • URL: https://YOUR_WORKER.workers.dev
  • Token: The G2_TOKEN you set above

5. Test

curl -X POST https://YOUR_WORKER.workers.dev \
  -H "Authorization: Bearer YOUR_G2_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"model":"openclaw","messages":[{"role":"user","content":"Hello, who are you?"}]}'

Architecture

Request Flow

  1. G2 converts speech → text, sends as OpenAI chat completion format
  2. Worker authenticates via G2_TOKEN
  3. Worker classifies request:
    • Image gen → DALL-E + Telegram (immediate G2 ack)
    • Long task → immediate G2 ack + background Gateway call → Telegram
    • Short task → proxy to Gateway → return to G2
  4. Gateway runs full agent loop (memory, tools, skills)
  5. Response filtered for G2 display (no URLs, code blocks → Telegram)

Security

Two-layer token auth:

G2 --[G2_TOKEN]--> Worker --[GATEWAY_TOKEN]--> Gateway
  • G2 only knows G2_TOKEN — if glasses are lost, change only this token
  • GATEWAY_TOKEN stays in Worker secrets, never exposed to glasses
  • Gateway HTTP API should be behind auth (token or password mode)

G2 Display Limitations

  • 576×136 pixels, monochrome green, ~48 chars wide
  • Text only (no images, no markdown rendering)
  • Worker auto-filters: URLs → [link], code blocks → [code], long text → truncated
  • Non-displayable content forwarded to Telegram

Customization

Edit the task classification regex in worker.js:

  • isLongTask() — patterns that trigger background processing
  • isImageGenRequest() — patterns that trigger DALL-E

Troubleshooting

  • G2 says "Unauthorized": Check G2_TOKEN matches in Worker secrets and Even app
  • "Gateway not configured": Verify GATEWAY_URL and GATEWAY_TOKEN secrets are set
  • Timeout on short tasks: Gateway may be slow; increase SHORT_TIMEOUT (max ~25s for CF Workers)
  • No Telegram delivery: Check TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID secrets
  • Gateway returns 404: Ensure chatCompletions.enabled: true in OpenClaw config + restart

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…