ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

数字宠物

v1.0.0

数字宠物 - 一个可爱的 3D 拉布布(Labubu)数字宠物,支持互动喂食、玩耍、抚摸。用于:(1) 桌面宠物陪伴,(2) 3D 互动展示,(3) 宠物养成游戏。

0· 373·0 current·0 all-time
by@wittfan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (3D interactive desktop pet) align with the provided JS and Python files. The Python desktop app (PyQt5 WebEngine) and the Three.js front-end are appropriate for the stated purpose. Note: some file path choices (see instruction/serve behavior below) look inconsistent with the repository layout, indicating an implementation bug rather than a capability mismatch.
Instruction Scope
SKILL.md only instructs running the local server (python3 scripts/serve.py) and interacting locally via the browser. The runtime instructions do not ask the agent to read unrelated system files, environment variables, or network secrets. The code likewise focuses on local UI and WebView interactions.
Install Mechanism
No install spec is present (instruction-only skill), and the provided files are client-side JS and Python. There are no downloads from external release URLs or archives in the manifest. The front-end pulls Three.js from a CDN, which is normal for a web demo.
Credentials
The skill requires no environment variables or credentials. The Python desktop app uses local OS features (window, mouse position) which are necessary for a desktop pet; no unrelated secrets or external tokens are requested.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or global agent config. The desktop app will create a persistent always-on-top window (by design) but this is limited to the user's session and relates to the stated purpose.
Assessment
This package appears to be a local desktop/browser 3D pet and is internally consistent with that purpose. Before running: (1) note the Python desktop app requires PyQt5 and PyQtWebEngine (pip install PyQt5 PyQtWebEngine) and will create an always-on-top, frameless window that follows the mouse — consider running it in a VM or disposable environment if you are cautious; (2) the front-end loads Three.js from a CDN so Internet access is needed for the demo; (3) I observed likely bugs where scripts (serve.py and desktop_pet.py) construct paths using the scripts/ directory rather than the repository root — you may need to run from a particular working directory or move files for the server/desktop app to find pet_widget.html/index.html; (4) desktop_pet exposes a WebChannel bridge (pybridge) so JavaScript can call limited Python methods (moveToMouse/log); currently these methods are simple and intended for UI control, but if you modify the files be careful not to expose sensitive APIs to web content; (5) there are no requested credentials or obvious exfiltration endpoints in the provided files. If you want higher assurance, run the app in a sandbox, inspect pet_widget.html/index.html for any remote URLs beyond the three.js CDN, and fix the path assumptions in the scripts so the server serves the intended HTML assets.

Like a lobster shell, security has layers — review code before you run it.

latestvk974avse659mmwyxfg4anmx4hx8273tw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments