数字宠物
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent 3D digital pet skill, with a few ordinary but noticeable local-server, remote-library, and background desktop-widget behaviors.
This looks safe to try as a local digital pet. Before installing or running it, be aware that it loads Three.js from a CDN, starts a local web server that may be reachable on your network, and the desktop mode can keep running in the tray until explicitly quit.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the remote library source is unavailable or compromised, the pet page could fail or run altered JavaScript in the page context.
The pet UI depends on a remote CDN-hosted JavaScript library. This is normal for a Three.js demo, but it means part of the code executed by the browser is fetched from a third party at runtime.
<script src="https://cdnjs.cloudflare.com/ajax/libs/three.js/r128/three.min.js"></script>
Use on trusted networks, and prefer a locally bundled or integrity-pinned Three.js copy if you want stronger supply-chain control.
While the server is running, other devices on the same network may be able to request files served by this skill.
The local server adds a permissive CORS header and binds to all interfaces rather than only localhost. It appears intended to serve the pet locally, but the network exposure is broader than the displayed localhost URL suggests.
self.send_header('Access-Control-Allow-Origin', '*') ... socketserver.TCPServer(("", PORT), MyHTTPRequestHandler)Run the server only on trusted networks, stop it when finished, and consider changing the bind address to 127.0.0.1 and removing broad CORS if not needed.
The pet may keep running in the background and continue tracking cursor position for movement until the user quits it from the tray/menu.
The desktop pet is designed to stay on top, update frequently, follow the mouse, and hide instead of exiting when closed. This is consistent with a desktop pet, but it is persistent within the user session.
Qt.WindowStaysOnTopHint | Qt.Tool ... self.timer.start(16) ... app.setQuitOnLastWindowClosed(False) ... def closeEvent(self, event): event.ignore(); self.hide()
Use the tray Quit option when finished, and be aware that closing or hiding the window may not stop the desktop pet process.