ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pixel Office

v1.0.0

Animated pixel-art office where agents appear as characters that walk, sit, and interact with furniture in real time. 像素风办公室,让各个 agents 以角色形式实时走动、入座,并与家具互动。

0· 474·1 current·1 all-time
by@xmanrui

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xmanrui/pixel-office.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Pixel Office" (xmanrui/pixel-office) from ClawHub.
Skill page: https://clawhub.ai/xmanrui/pixel-office
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install xmanrui/pixel-office

ClawHub CLI

Package manager switcher

npx clawhub@latest install pixel-office
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to provide a 'Pixel Office' visualization but its runtime instructions actually clone and run an entire OpenClaw Dashboard project from GitHub. That is plausibly related, but there are inconsistencies: SKILL.md clones https://github.com/xmanrui/OpenClaw-bot-review while README references openclaw-bot-dashboard/openclaw-bot-review interchangeably. Running a full dashboard is a much larger capability than the 'pixel-office' name implies; the repo mismatch is an incoherence that merits caution.
Instruction Scope
Instructions include stopping processes on port 3000 (kill -9 / taskkill), deleting directories, cloning/downloading a GitHub repo, running npm install, and starting a background dev server. These actions are within the scope of 'launch a local dashboard' but they grant the skill the ability to modify files, kill processes, and run arbitrary JavaScript (npm install + npm run dev). The skill also reads the OpenClaw config (~/.openclaw/openclaw.json) and detects LAN IPs to return LAN URLs — behavior consistent with a dashboard but sensitive.
Install Mechanism
No install spec (instruction-only). The runtime flow clones or downloads a ZIP from GitHub (well-known host) and runs npm install/run. Downloading from GitHub is acceptable practice, but executing dependencies and dev server code from a third-party repository is a non-trivial risk because that code will run on the user's machine.
!
Credentials
The skill declares no required env vars, but it explicitly reads the OpenClaw config at ~/.openclaw/openclaw.json (or %USERPROFILE%\.openclaw\openclaw.json). That local config can contain API keys, gateway tokens, or other secrets. Reading and serving this data via a web UI is functionally justified for a dashboard but is proportionate only if the user expects a local admin dashboard. The skill does not document how sensitive config is handled or whether the dev server binds to localhost only, so this raises confidentiality concerns.
Persistence & Privilege
always is false and the skill does not request permanent platform-wide privileges. It will create a project directory (~/projects/OpenClaw-bot-review) and start a background dev server, which is expected behavior for a local dashboard. It does not modify other skills or system-wide agent settings in the provided instructions.
Scan Findings in Context
[NO_CODE_FILES_TO_SCAN] expected: The regex scanner had no code files to analyze (instruction-only skill). The primary risk comes from the instructions which clone and execute remote code.
What to consider before installing
Before installing/running this skill: (1) Inspect the GitHub repository it will clone (the SKILL.md references github.com/xmanrui/OpenClaw-bot-review but README mentions other names) — review package.json, server startup code, and any network/exfiltration code. (2) Be aware it will read ~/.openclaw/openclaw.json which may contain API keys; do not run it if you don’t want that local config served by the dashboard. (3) Run the project in an isolated environment (VM/container) or on a machine without sensitive credentials. (4) Confirm the dev server binds to localhost (not 0.0.0.0) or protect it with firewall rules if you must expose it to LAN. (5) If unsure, clone the repo yourself, audit it, and start it manually rather than allowing the skill to perform automatic cloning/installation. (6) The repo name inconsistency is a red flag — verify the exact repository/author before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ghyzvrzgkxxv7htbkdq91n82da9m
474downloads
0stars
1versions
Updated 18h ago
v1.0.0
MIT-0
@xmanrui
latest
Download

Pixel Office Skill

Launch and manage the Pixel Office web UI where agents appear as animated pixel-art characters that walk, sit, and interact with furniture in real time.

Activation

Activate when user says:

  • "打开像素办公室"
  • "open pixel office"
  • "像素办公室"
  • "pixel office"

What This Skill Does

  1. Detects the operating system (macOS/Windows)
  2. Checks if git is installed
  3. Downloads/clones the OpenClaw Dashboard project if not already present
  4. Installs dependencies (npm install)
  5. Starts the development server in background
  6. Returns the access URL to the user

Installation Directory

  • macOS/Linux: ~/projects/OpenClaw-bot-review/
  • Windows: %USERPROFILE%\projects\OpenClaw-bot-review\

Prerequisites

  • Node.js 18+ must be installed
  • OpenClaw config at ~/.openclaw/openclaw.json (or %USERPROFILE%\.openclaw\openclaw.json on Windows)

Workflow

Step 1: Check if already running and stop it

# Check if process is already running on port 3000
# macOS/Linux
lsof -ti:3000

# Windows
netstat -ano | findstr :3000

If already running:

  • Stop the service first (ensure clean restart)

macOS/Linux:

lsof -ti:3000 | xargs kill -9 2>/dev/null
echo "已停止旧服务"

Windows (PowerShell):

Get-Process -Id (Get-NetTCPConnection -LocalPort 3000).OwningProcess | Stop-Process -Force
Write-Host "已停止旧服务"

Windows (cmd):

for /f "tokens=5" %a in ('netstat -ano ^| findstr :3000') do taskkill /F /PID %a
echo 已停止旧服务

Then proceed to Step 1.5.

Step 1.5: Check for updates (if project exists)

If project exists, check if there's a newer version:

If git is available:

# macOS/Linux
cd ~/projects/OpenClaw-bot-review
git fetch origin main 2>/dev/null
LOCAL=$(git rev-parse HEAD 2>/dev/null)
REMOTE=$(git rev-parse origin/main 2>/dev/null)

if [ "$LOCAL" != "$REMOTE" ]; then
  echo "update_available"
else
  echo "up_to_date"
fi

# Windows (PowerShell)
cd "$env:USERPROFILE\projects\OpenClaw-bot-review"
git fetch origin main 2>$null
$local = git rev-parse HEAD 2>$null
$remote = git rev-parse origin/main 2>$null
if ($local -ne $remote) { "update_available" } else { "up_to_date" }

If update available:

  • Inform user: "检测到新版本,正在更新..."
  • Pull latest code: git pull origin main
  • Reinstall dependencies: npm install
  • Continue to Step 5 (start service)

If up to date:

  • Continue to Step 5 (start service)

If git is NOT available:

  • Inform user: "检测到项目无 git 管理,正在重新下载最新版本..."
  • Remove old project directory: 
    # macOS/Linux
rm -rf ~/projects/OpenClaw-bot-review

# Windows (PowerShell)
Remove-Item -Recurse -Force "$env:USERPROFILE\projects\OpenClaw-bot-review"
  • Go to Step 3 (download project via ZIP)

Step 2: Check if project exists

# macOS/Linux
test -d ~/projects/OpenClaw-bot-review && echo "exists" || echo "not found"

# Windows (PowerShell)
Test-Path "$env:USERPROFILE\projects\OpenClaw-bot-review"

If exists, skip to Step 4.

Step 3: Download project

Option A: With git (preferred)

# macOS/Linux
mkdir -p ~/projects
cd ~/projects
git clone https://github.com/xmanrui/OpenClaw-bot-review.git

# Windows (PowerShell)
New-Item -ItemType Directory -Force -Path "$env:USERPROFILE\projects"
cd "$env:USERPROFILE\projects"
git clone https://github.com/xmanrui/OpenClaw-bot-review.git

Option B: Without git (fallback)

macOS/Linux:

mkdir -p ~/projects
cd ~/projects
curl -L https://github.com/xmanrui/OpenClaw-bot-review/archive/refs/heads/main.zip -o openclaw-dashboard.zip
unzip openclaw-dashboard.zip
mv OpenClaw-bot-review-main OpenClaw-bot-review
rm openclaw-dashboard.zip

Windows (PowerShell):

New-Item -ItemType Directory -Force -Path "$env:USERPROFILE\projects"
cd "$env:USERPROFILE\projects"
Invoke-WebRequest -Uri "https://github.com/xmanrui/OpenClaw-bot-review/archive/refs/heads/main.zip" -OutFile "openclaw-dashboard.zip"
Expand-Archive -Path "openclaw-dashboard.zip" -DestinationPath "."
Rename-Item -Path "OpenClaw-bot-review-main" -NewName "OpenClaw-bot-review"
Remove-Item "openclaw-dashboard.zip"

Windows (cmd with curl - Windows 10+):

mkdir "%USERPROFILE%\projects" 2>nul
cd /d "%USERPROFILE%\projects"
curl -L https://github.com/xmanrui/OpenClaw-bot-review/archive/refs/heads/main.zip -o openclaw-dashboard.zip
tar -xf openclaw-dashboard.zip
ren OpenClaw-bot-review-main OpenClaw-bot-review
del openclaw-dashboard.zip

Step 4: Install dependencies (if needed)

Check if node_modules exists. If not:

# macOS/Linux
cd ~/projects/OpenClaw-bot-review
npm install

# Windows
cd "%USERPROFILE%\projects\OpenClaw-bot-review"
npm install

Step 5: Start the server

macOS/Linux:

cd ~/projects/OpenClaw-bot-review
npm run dev > /dev/null 2>&1 &

Windows (PowerShell):

cd "$env:USERPROFILE\projects\OpenClaw-bot-review"
Start-Process -NoNewWindow -FilePath "npm" -ArgumentList "run", "dev"

Windows (cmd):

cd /d "%USERPROFILE%\projects\OpenClaw-bot-review"
start /B npm run dev

Step 6: Wait for server to be ready

Poll http://localhost:3000 until it responds (max 30 seconds).

# macOS/Linux
for i in {1..30}; do
  curl -s http://localhost:3000 > /dev/null && break
  sleep 1
done

# Windows (PowerShell)
for ($i=0; $i -lt 30; $i++) {
  try {
    Invoke-WebRequest -Uri "http://localhost:3000" -UseBasicParsing -TimeoutSec 1 | Out-Null
    break
  } catch {
    Start-Sleep -Seconds 1
  }
}

Step 7: Return access URLs (required)

You MUST return both:

  • Local URL
  • LAN URL

First, actually detect the machine's LAN IPv4 address. Do not guess it.

macOS/Linux:

(ipconfig getifaddr en0 || ipconfig getifaddr en1 || hostname -I | awk '{print $1}') 2>/dev/null

Windows (PowerShell):

(Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias "Ethernet*","Wi-Fi*" | Select-Object -First 1).IPAddress

Rules:

  • You MUST execute an IP detection command before composing the final reply.
  • Do NOT guess or fabricate the LAN IP.
  • Do NOT omit the LAN URL just because localhost works.
  • You MUST include both the local URL and the LAN URL in the final reply.
  • If LAN IP detection fails, you MUST still include the local URL and explicitly say:
    • 局域网访问地址:获取失败
    • and briefly mention that LAN IP detection failed.
  • Do NOT end with only a localhost URL.

Return message format:

✅ Pixel Office 已启动!

访问地址:
- 本地访问:http://localhost:3000/pixel-office
- 局域网访问:http://<LAN-IP>:3000/pixel-office

Pixel Office 会自动读取你的 OpenClaw 配置,展示所有机器人、模型、会话的状态。

需要停止服务时告诉我一声。

If LAN IP detection fails, use:

✅ Pixel Office 已启动!

访问地址:
- 本地访问:http://localhost:3000/pixel-office
- 局域网访问:获取失败

原因:未能检测到当前机器的局域网 IPv4 地址。

需要停止服务时告诉我一声。

Stopping the Server

When user asks to stop:

macOS/Linux:

lsof -ti:3000 | xargs kill -9

Windows (PowerShell):

Get-Process -Id (Get-NetTCPConnection -LocalPort 3000).OwningProcess | Stop-Process -Force

Windows (cmd):

for /f "tokens=5" %a in ('netstat -ano ^| findstr :3000') do taskkill /F /PID %a

Error Handling

  • Node.js not found: Tell user to install Node.js 18+ from https://nodejs.org/
  • Port 3000 already in use: Check if it's the dashboard (return URL) or another service (suggest using a different port with PORT=3001 npm run dev)
  • OpenClaw config not found: Warn that dashboard may not work properly without ~/.openclaw/openclaw.json
  • Download failed: Suggest checking internet connection or manually downloading from GitHub
  • npm install failed: Suggest running npm cache clean --force and retrying

Notes

  • The server runs in background and persists until stopped or system reboot
  • Dashboard reads config directly from ~/.openclaw/openclaw.json - no database needed
  • Supports auto-refresh, dark/light theme, i18n (Chinese/English)
  • Includes pixel-art office animation for fun visualization

Platform Detection

# Detect OS
uname -s  # macOS: Darwin, Linux: Linux, Windows (Git Bash): MINGW*/MSYS*

# Windows detection in PowerShell
$PSVersionTable.Platform  # Win32NT or empty on Windows

Git Detection

# Check if git is available
git --version
# Exit code 0 = installed, non-zero = not installed

Detection logic:

  1. Run git --version at the beginning
  2. Store result (available/not available)
  3. Use this result throughout the workflow

If git not available:

  • Always use ZIP download method
  • Always force re-download when project exists (to get latest version)
  • Clean up old directory before downloading

Implementation Tips

  1. Always stop old service first - ensures clean restart with latest code
  2. Check git availability at the start - determines update strategy
  3. With git: Check for updates and pull if needed
  4. Without git: Force re-download ZIP to ensure latest version
  5. No user confirmation needed - auto-update and restart for best UX
  6. Use background process management to avoid blocking
  7. Provide clear feedback at each step ("已停止旧服务", "检测到新版本,正在更新...", "正在重新下载最新版本...")
  8. Handle both PowerShell and cmd on Windows
  9. Clean up temporary files (zip archives)
  10. Log errors for debugging but keep user messages simple
  11. Always ensure latest code - either via git pull or re-download

Comments

Loading comments...