ClawHub

Holocube Emotes

v1.0.0

Control a GeekMagic holocube display as an AI emote system. Generate holographic sprite kits with Gemini, upload to device, and swap expressions based on agent state (idle, working, error, etc.). Use when the user has a GeekMagic holocube (HelloCubic-Lite or similar) and wants their AI assistant to have a physical face that reacts to conversation context.

0· 1.1k·0 current·0 all-time
by@thrive-spencerj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description match the implemented behavior: generating sprites and pushing them to a GeekMagic holocube. However, the skill metadata lists no required environment variables or primary credential while SKILL.md and the code clearly require a GEMINI_API_KEY (and the nano-banana-pro skill) for sprite generation and expect the 'uv' binary and Pillow. The omission of these required pieces in the declared metadata is an incoherence.
Instruction Scope
Runtime instructions and included scripts are consistent with the stated purpose: discover devices on the local subnet, generate images via a Gemini-backed skill, convert to GIF/JPG, upload to the device, and set emotes. The scripts perform a full /24 subnet scan to discover devices, read and write files under the user's home (~/.openclaw workspace), read ~/.openclaw/openclaw.json to obtain API keys, and perform HTTP POSTs to local device endpoints (e.g., /doUpload, /set). These actions are expected for setup but are broader than a simple 'emote setter' (network scanning, parsing device HTML for backup, and writing files). There is no instruction to send data to third-party endpoints beyond the image-generation step (nano-banana-pro/Gemini), and no obfuscated or hidden remote endpoints were found.
Install Mechanism
This is an instruction-only skill with bundled scripts (no install spec). No arbitrary remote download/install steps were specified. The scripts call external binaries (uv, Pillow) and a separately installed nano-banana-pro skill; those are typical for image generation but should be installed from trusted sources.
!
Credentials
The metadata declares no required environment variables, but the code and SKILL.md require GEMINI_API_KEY (and attempt to read it from env or ~/.openclaw/openclaw.json). The scripts also read the OpenClaw config file in the user's home to find the nano-banana-pro API key. Reading that config could expose other skill API entries if present. Required binaries (uv, Pillow) are mentioned in SKILL.md but not enforced in metadata. This mismatch means the skill will need sensitive credentials that were not declared in the registry entry — a proportionality and transparency problem.
Persistence & Privilege
The skill does not request always: true or attempt to alter other skills' configuration. It writes generated assets into the user's workspace (~/.openclaw/workspace/assets/holocube-sprites) and uploads/clears files on the holocube device. Those are expected behaviors for this functionality. Note: the agent-autonomous invocation default is enabled but not combined with wide undeclared credential requests in the metadata (the credential is required by code but not declared), so users should be cautious about automated runs.
What to consider before installing
What to consider before installing: - Missing declared credential: The skill's registry metadata does NOT list any required environment variables, but SKILL.md and the scripts require GEMINI_API_KEY (Gemini image generation) and the nano-banana-pro skill. The skill will try to read GEMINI_API_KEY from your environment or from ~/.openclaw/openclaw.json. If you keep API keys in that config, this skill will read that file — verify you are comfortable with that. - Network actions: The scripts scan your local /24 subnet to discover devices and then POST files and commands to the device IP (e.g., /doUpload, /set). This is expected for device setup but may look intrusive; run only on trusted networks and confirm the IP of the target device before allowing automated runs. - External execution: Sprite generation invokes an external script via 'uv run' (nano-banana-pro). That effectively runs code from the nano-banana-pro package and sends prompts/API calls to Gemini. Ensure nano-banana-pro and 'uv' are installed from trusted sources and you understand how your GEMINI_API_KEY will be used. - File writes: The skill writes generated assets under your home directory (~/.openclaw/workspace/...) and may clear/backup images on the device. Back up anything important on the device first. - Practical recommendations: (1) Ask the publisher to update the registry metadata to declare GEMINI_API_KEY as a required env and list required binaries (uv, Pillow) and the nano-banana-pro dependency. (2) Inspect the included scripts yourself (they are plain text and un-obfuscated) and verify you trust nano-banana-pro. (3) Do not provide an API key you don't trust being used for image generation. (4) If you want stronger guarantees, run the network discovery and upload steps manually rather than allowing automated/autonomous agent invocation. Overall: the skill appears to implement the advertised functionality, but the undeclared credential/dependency and the broad local actions warrant caution — treat as suspicious until metadata is corrected and you confirm trust in the image-generation dependency.

Like a lobster shell, security has layers — review code before you run it.

latestvk9716rz3mrpn9pdvhpr938kxsh80r4b8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments