Xiang miles | Space2.world
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a simple local avatar/pod generator, but users should notice that it writes a small local state file and outputs CDN image links despite the short description saying there are no file writes.
This skill is reasonable to install if you are comfortable with a visible ./s2_matrix_data/<POD-ID>.json file being created in the current directory and with optional remote image loading when you render its Markdown output. Avoid entering sensitive names, and consider asking the publisher to correct the short description so it no longer says there are no file writes.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user expecting a purely no-I/O skill may be surprised that it creates a local file and produces Markdown that can load remote images when rendered.
This top-level claim understates the actual behavior because SKILL.md and skill.py disclose a local state-file write and remote image URLs in generated Markdown.
Description: Assign a deterministic 4-sqm virtual living space and a visual avatar to your local AI agent with no network calls or file writes.
Treat the detailed SKILL.md and source code as authoritative, and the maintainer should update the short description/capability metadata to match the actual local write and remote image behavior.
Anyone with access to the working directory could see the chosen agent name, avatar, pod ID, coordinates, and last-active timestamp.
The skill persists user-provided agent identity and timing/state data to a local JSON file under ./s2_matrix_data.
state_data = { "agent_name": agent_name, "avatar_id": avatar_choice, ... "last_active": current_timestamp }; ... json.dump(state_data, f, ensure_ascii=False, indent=2)Use a non-sensitive agent name and delete the ./s2_matrix_data folder if you do not want this local state retained.
If you paste the output into a Markdown viewer, that viewer may send a request to the image host, exposing normal network metadata such as IP address and user-agent to the CDN.
The script itself does not make a network request, but rendering the generated Markdown can cause the user's viewer to contact an external CDN.
Remote Image URLs: The script generates and prints a Markdown string that contains remote image URLs ... your viewer will fetch the images from the Space2 CDN.
Render the Markdown only if you are comfortable loading images from spacesq.org, or remove the image tag before viewing.