ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

clawpet

v0.1.6

OpenClaw pet companion skill. Manage adopted pets, run interactions, and produce pet image prompts.

0· 920·0 current·0 all-time
by@yazelin
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to manage pets and produce image prompts and includes a small wrapper script to invoke a clawpet CLI or fall back to uv/uvx. Requiring a clawpet CLI (or installing from the GitHub repo) is coherent. However, the SKILL.md also instructs use of a separate local image-generation tool (nano-banana-pro/Gemini) via a hardcoded path under /home/yaze, which is not justified by the simple companion description and is developer-specific.
!
Instruction Scope
Instructions direct the agent to execute the included shell wrapper and to run an external image generator at /home/yaze/.npm-global/.../nano-banana-pro/scripts/generate_image.py, and then to call message(action="send", channel="telegram", media="/home/yaze/.openclaw/workspace/...") — these are environment-specific absolute paths and an external workflow that assumes a specific user's filesystem and a locally installed skill. That is fragile and surprising; it gives the agent latitude to run local programs and send generated files to an external channel. The skill does not explain how to configure those paths or the expected Telegram channel identifier.
Install Mechanism
The SKILL.md metadata suggests installing the clawpet package via pip from a GitHub repository (git+https://github.com/yazelin/clawpet.git). Installing a CLI from a GitHub pip URL is a common pattern but carries higher risk than using a vetted registry package because arbitrary code from the repo will run on install. The included scripts are small and benign-looking, but the pip install step should be audited.
Credentials
The skill does not request environment variables, credentials, or config paths in the registry metadata. The runtime instructions do reference local filesystem paths and the use of a message/send action, but they do not request secrets or unrelated credentials. The lack of declared env/secret demands is proportionate to the stated purpose.
Persistence & Privilege
always is false and the skill is user-invocable. The skill does not request permanent presence or modify other skills' configuration in the provided files. Autonomous invocation is allowed by default but not itself an additional red flag here.
Scan Findings in Context
[no-findings] expected: No pre-scan injection signals or regex findings were reported. That does not imply safety — the SKILL.md contents themselves introduce environment-specific behaviors that need review.
What to consider before installing
This skill mostly does what it says (pet management + prompt generation), but the runtime instructions reference hardcoded developer paths (/home/yaze/...), a local image generator 'nano-banana-pro' and a pip install from a GitHub repo. Before installing or running: 1) inspect the GitHub repository (https://github.com/yazelin/clawpet) to review code that would be installed via pip; 2) be aware the image workflow assumes files and a tool under /home/yaze — update these paths to valid locations on your system or adapt the workflow to use a supported image generation API; 3) confirm how the 'message(action="send")' step maps to your messaging channel (avoid sending private files unintentionally); 4) if you are uncomfortable running pip installs from an arbitrary GitHub URL or running developer-local scripts, run the skill in a sandbox or reject/modify the install. If you want, provide your environment layout (user home path, whether you have uv/uvx, and how you want images generated) and I can suggest safer, portable changes.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Any binclawpet, uv, uvx
catvk97dwfypq3wd5hdq4ce7b1dtg1811b5hlatestvk97b4nyr6vg3bdf0nzppy7t7ms810838openclawvk97dwfypq3wd5hdq4ce7b1dtg1811b5hpetvk97dwfypq3wd5hdq4ce7b1dtg1811b5h
920downloads
0stars
7versions
Updated 8h ago
v0.1.6
MIT-0
@yazelin
catlatestopenclawpet
Download

clawpet — OpenClaw Pet Companion 🐾

Use this skill when the user wants to adopt a pet, check pet status, interact with the pet, or send a pet image. Pet status includes passive time-based updates, so each check-in can reflect elapsed time.

Typical triggers

  • "我想養一隻貓"
  • "我的寵物今天狀態如何?"
  • "幫我餵牠"
  • "讓牠拍一張照"

Command reference

1) List pets

bash {baseDir}/scripts/clawpet.sh pets

2) Adopt a pet

bash {baseDir}/scripts/clawpet.sh adopt momo

3) Check current status

bash {baseDir}/scripts/clawpet.sh status

4) Interact with pet

bash {baseDir}/scripts/clawpet.sh interact feed
bash {baseDir}/scripts/clawpet.sh interact play
bash {baseDir}/scripts/clawpet.sh interact rest

5) Generate image prompt

bash {baseDir}/scripts/clawpet.sh prompt
bash {baseDir}/scripts/clawpet.sh prompt --place "sunny window" --style "photorealistic, professional pet photography"

Outputs the full image generation prompt text. Default style is photorealistic.

6) Auto care

bash {baseDir}/scripts/clawpet.sh care
bash {baseDir}/scripts/clawpet.sh care --action feed

Agent behavior guidance

Basic interactions

  1. Always call bash {baseDir}/scripts/clawpet.sh ... to avoid missing executable issues.
  2. When user says they want a pet, first run bash {baseDir}/scripts/clawpet.sh pets, then ask which one they want.
  3. For regular check-ins, run bash {baseDir}/scripts/clawpet.sh status.
  4. For daily care, prefer bash {baseDir}/scripts/clawpet.sh care; for explicit requests, run ... interact <action>.

Image generation workflow (IMPORTANT)

When the user requests a pet image:

  1. Generate the prompt:

    bash {baseDir}/scripts/clawpet.sh prompt --place "cozy afternoon window"

    This outputs the full prompt text. Default style is photorealistic pet photography.

  2. Generate the image with nano-banana-pro:

    uv run /home/yaze/.npm-global/lib/node_modules/openclaw/skills/nano-banana-pro/scripts/generate_image.py \
  --prompt "<prompt from step 1>" \
  --filename "YYYY-MM-DD-HH-MM-pet-name.png" \
  --resolution 1K

    This saves the image to /home/yaze/.openclaw/workspace/YYYY-MM-DD-HH-MM-pet-name.png

  3. Send the image with message tool:

    message(action="send", channel="telegram", media="/home/yaze/.openclaw/workspace/YYYY-MM-DD-HH-MM-pet-name.png", message="🐾 <pet_name> 的即時快照")

Why this workflow:

  • Uses Gemini (nano-banana-pro) for high-quality watercolor-style images
  • Local file path works with message tool's media parameter
  • Consistent with other OpenClaw image generation patterns

Troubleshooting

  • If clawpet command is not found, this skill wrapper auto-falls back to:
    • uvx --from git+https://github.com/yazelin/clawpet.git clawpet ...
    • uv tool run --from git+https://github.com/yazelin/clawpet.git clawpet ...

Comments

Loading comments...