ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Chat With Me

v1.1.0

Real-time AI video chat that routes through your OpenClaw agent. Uses Groq Whisper (cloud STT), edge-tts (cloud TTS via Microsoft), and OpenClaw chatCompletions API for conversation. Your agent sees your camera, hears your voice, and responds with its own personality and memory. Requires: GROQ_API_KEY for speech recognition. Reads ~/.openclaw/openclaw.json for gateway port and auth token. Data flows: audio → Groq cloud (STT), TTS text → Microsoft cloud (edge-tts), camera frames (base64) + text → OpenClaw gateway → your configured LLM provider (may be cloud — frames leave the machine if using a cloud LLM). Installs a persistent launchd service (optional). Trigger phrases: "video chat", "voice call", "call me", "视频一下", "语音", "打电话给我", "我要和你视频", "videochat-withme".

0· 1.1k·2 current·2 all-time
by@sxu75374
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the actual behavior: python+ffmpeg server that sends audio to Groq Whisper (GROQ_API_KEY) and routes camera frames/text to the OpenClaw gateway for chatCompletions. Declared required binaries and config (gateway.http) align with these needs. Minor concern: source/homepage missing which reduces trust.
Instruction Scope
SKILL.md and scripts instruct the agent to read ~/.openclaw/openclaw.json and ~/.openclaw/secrets/groq_api_key.txt, run setup.sh, install Python deps and mkcert, generate certs, and start a FastAPI server that encodes camera frames as base64 and POSTs them to the gateway. All of this is coherent with the stated purpose but grants the skill broad access to camera frames, microphone audio, and your agent session.
Install Mechanism
No centralized install spec, but included setup.sh will install Python packages via pip, use brew to install ffmpeg/mkcert if available, generate local certs, and write a launchd plist. These are common but modify the system (LaunchAgents, pip installs). There are no suspicious remote download URLs in the provided scripts.
!
Credentials
GROQ_API_KEY is expected. The skill reads the OpenClaw gateway auth token from ~/.openclaw/openclaw.json (not declared as an env var) and uses it to call /v1/chat/completions as the main agent. That token effectively gives the skill access to the agent's full memory, personality, and tools — a high‑privilege credential that has broad consequences if misused.
!
Persistence & Privilege
setup.sh optionally installs a LaunchAgent that auto-starts the HTTP server (persistent, starts at login). Persistent service combined with reading the gateway token and sending camera frames to the agent increases risk: the service could be triggered without explicit user action and route sensitive data to a cloud LLM if the gateway forwards externally.
Scan Findings in Context
[base64-block] expected: The SKILL.md and server.py explicitly encode camera frames as base64 and send them to the gateway. The base64 pattern match is expected for an application that posts images as data URLs.
What to consider before installing
This skill's functionality matches its description, but it carries elevated privacy and privilege implications. Before installing: 1) Note the source is unknown and there's no homepage—exercise caution. 2) Review server.py and setup.sh yourself (they are included) — verify exactly how the OpenClaw gateway token is read/used. 3) Understand that the skill reads your GROQ key and the OpenClaw gateway auth token (from ~/.openclaw/openclaw.json) — that gateway token grants access to the agent's memory/tools and can route frames to cloud LLMs. 4) If you install, consider running without the LaunchAgent first (use start.sh directly) and test locally, or run in a sandboxed account/container. 5) If you require privacy: configure your OpenClaw gateway to use a local/self‑hosted model (so frames don’t leave your machine), or do not provide the gateway auth in the config. 6) If you’re not comfortable auditing or trusting the author, do not install. Rotating credentials after removal and checking /tmp/videochat-withme.log and the created LaunchAgent plist are good post‑install checks.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eda740btntn7fwp929qgwph8116m6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎥 Clawdis
Binspython3, ffmpeg
EnvGROQ_API_KEY
Configgateway.http

Comments