Video Messages from your openclaw
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could install a global npm tool different from the one intended if the package name or maintainer is not verified.
The core avatarcam binary is supplied by a globally installed npm package, and the scoped package name in metadata differs from the unscoped package in the install command. This is disclosed and purpose-aligned, but it creates package-provenance ambiguity.
"package": "@thewulf7/openclaw-avatarcam", "global": true ... npm install -g openclaw-avatarcam
Verify the exact npm package, publisher, and version before installing; prefer a pinned or clearly sourced package when possible.
When used, the skill may send the generated video rather than only saving it locally.
The workflow invokes OpenClaw's message tool to send the generated video note. This is central to the skill's purpose, but it is still an outgoing action a user should recognize.
message action=send filePath=/tmp/video.mp4 asVideoNote=true
Use it when you intend to send a video message, and review the requested content before asking the agent to send it.
The skill will run local video-processing tools and may consume compute resources while creating the MP4.
The skill runs local media-generation commands through avatarcam and ffmpeg. This command execution is expected for video rendering and is documented.
avatarcam --audio voice.mp3 --output video.mp4 --background "#00FF00"
Install only the required tools from trusted sources and keep generated files in expected temporary/output locations.