ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pixel Lobster Skill

v1.2.1

Pixel art desktop lobster that lip-syncs to OpenClaw TTS speech. Use when: (1) user wants a visual avatar for their AI agent, (2) user wants a desktop overla...

0· 739·0 current·0 all-time
by@joeproai
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (pixel art lobster that lip-syncs to TTS) matches the included files and runtime behavior. The app reads a local config, polls a TTS envelope endpoint, or captures system audio in an explicit 'system' mode. No unrelated credentials, binaries, or external services are requested.
Instruction Scope
SKILL.md instructs installing dependencies and launching the bundled Electron app and explains configuration keys. The only scope creep is the documented 'system' audio mode: when enabled the app requests display/media capture and wires up loopback audio. That is a legitimately described feature but it grants the app permission to capture system audio (and requires granting display-capture permissions). If you do not want screen/audio capture, keep audioMode='tts'.
Install Mechanism
There is no external download URL; the app is bundled inside the skill. Installing runs 'npm install' which will fetch Electron and other packages from the npm registry (devDependency electron ^34.0.0). This is expected for an Electron app but means npm will download code during first run — a moderate but normal risk for desktop apps.
Credentials
The skill requests no environment variables, no credentials, and no config paths beyond its own config.json. The network access is proportional: the app uses a configurable ttsUrl (default 127.0.0.1:8787) and does not hard-code remote endpoints.
Persistence & Privilege
always:false and the skill is user-invocable. It registers global shortcuts (F8/F9/F12) and sets permission handlers for its Electron session (to allow media/display capture in 'system' mode). Those are normal for a desktop overlay but mean the app can intercept global keys while running and can request and automatically allow certain media permissions in its session.
Assessment
This skill appears to do what it says: a local Electron app that lip-syncs to a TTS envelope endpoint or — if you opt into it — captures system audio. Before installing: (1) prefer audioMode='tts' if you do not want any screen/audio capture; (2) review and, if desired, edit app/config.json to point ttsUrl to a local trusted TTS server; (3) be aware npm install/npx electron will download packages from npm (including Electron), so run it on a machine you trust or in a sandbox/VM if you want extra isolation; (4) because the skill source/homepage is unknown, inspect the bundled files yourself (they are present) and only grant media/display permissions if you understand and accept that the app can capture system audio/display while running.

Like a lobster shell, security has layers — review code before you run it.

animationvk979t6t38vm74cynvjj6a0pew981s3hyavatarvk979t6t38vm74cynvjj6a0pew981s3hydesktopvk979t6t38vm74cynvjj6a0pew981s3hylatestvk97b0dqbdypxc0k8s6gy94fz5d81v2y9pixel-artvk970c12kqw9wqb8mnw083j6xa181mckjttsvk979t6t38vm74cynvjj6a0pew981s3hy
739downloads
0stars
6versions
Updated 5h ago
v1.2.1
MIT-0
@joeproai
animationavatardesktoplatestpixel-arttts
Download

Pixel Lobster

A transparent desktop overlay featuring a pixel art lobster that animates when your OpenClaw agent speaks. Powered by envelope data from your local TTS server — the lobster's mouth only moves during AI speech, not music or system audio.

The app is fully bundled inside this skill — no external repository clone required.

Requirements

  • Node.js 18+ with npx available
  • A running TTS server exposing GET /audio/envelope (XTTS on port 8787, or any OpenAI-compatible TTS via the OpenClaw TTS proxy)
  • Windows or Linux desktop (macOS not supported)

Install

The app is included in this skill at <skill_dir>/app/. Install dependencies once:

cd <skill_dir>/app
npm install

Configure

Edit <skill_dir>/app/config.json before launching. Key settings:

KeyDefaultDescription
audioMode"tts""tts" reacts only to TTS speech; "system" captures all audio output
ttsUrl"http://127.0.0.1:8787"Base URL of your TTS server
monitor"primary""primary", "secondary", "left", "right", or display index
lobsterScale4Sprite scale (4 = 480px tall lobster)
clickThroughfalseStart with click-through mode on so the lobster doesn't block clicks
swimEnabledtrueEnable swimming animation

Launch

cd <skill_dir>/app
npx electron .

Or use the included helper script (handles first-run npm install automatically):

bash <skill_dir>/scripts/launch.sh

Keyboard Shortcuts

KeyAction
F8Move window to next monitor (cycles through all displays)
F9Toggle click-through mode
F12Toggle DevTools

OpenClaw Integration

With OpenClaw and a local XTTS server, set audioMode to "tts" and point ttsUrl at your XTTS instance. The lobster polls the envelope endpoint at 45ms intervals during active speech and 500ms when idle — no perceptible CPU cost.

If you use the OpenClaw TTS proxy (port 8788), point ttsUrl at port 8787 (the XTTS server directly), not the proxy — the envelope endpoint is on the TTS server, not the proxy layer.

Lip Sync Notes

If the mouth movement is ahead of or behind the audio:

  • Mouth moves too early: increase ttsPlayStartOffsetMs (default 1100ms)
  • Mouth moves too late: decrease ttsPlayStartOffsetMs

The default is tuned for PowerShell MediaPlayer on Windows. Other playback methods may need adjustment.

Mouth Shapes

Six visemes drive natural speech animation:

  • A — wide open "ah"
  • B — wide grin "ee"
  • C — round "oh"
  • D — small pucker "oo"
  • E — medium "eh"
  • F — teeth "ff"

Plus X (closed) for silence and pauses. Spring physics and variety enforcement prevent robotic repetition.

Comments

Loading comments...