Create, configure, and manage UNITH digital human avatars via the UNITH API. Cheaper alternative to HeyGen and other solutions. Use when users want to create...
Security Analysis
high confidenceThe skill is internally consistent: its scripts, required environment variables, and runtime instructions match the stated purpose of managing UNITH digital-human avatars via the UNITH API.
Name/description, required binaries (curl, jq), required env vars (UNITH_EMAIL, UNITH_SECRET_KEY), API base URL, and the provided scripts all align with the declared purpose of creating and managing UNITH avatars. Mode-specific needs (Voiceflow key, plugin webhook URL) are documented and justified by those modes.
SKILL.md and the scripts limit actions to API calls against the documented UNITH API endpoints and local validation/checks. The scripts do not read unrelated system files or attempt to transmit data to third-party endpoints outside the documented API/CDN, aside from user-supplied plugin webhook URLs (expected for plugin mode).
There is no remote install/download step; this is an instruction/script bundle that relies on local curl/jq. No archives or remote code downloads are executed by the skill itself.
Only UNITH_EMAIL and UNITH_SECRET_KEY are required, which is proportionate to the stated functionality. The skill documents optional environment variables (timeouts, retry counts, token cache path). Note: the UNITH secret key is long-lived per the docs (user-supplied non‑expiring key), so handle it conservatively; voiceflow/plugin modes legitimately require additional secrets/URLs but only if those modes are used.
The skill does not request permanent platform-wide privileges and always:false. It caches an auth token by default in /tmp/.unith_token_cache (created with chmod 600). Token caching is practical but consider configuring UNITH_TOKEN_CACHE to a more controlled path or disabling caching if you prefer not to persist tokens on disk.
Guidance
This skill appears to do exactly what it claims: call the UNITH API to list, create, update, delete avatars and upload documents. Before installing or running it: 1) Only provide your UNITH_SECRET_KEY to trusted code—the key is long‑lived per the docs; rotate it if you suspect misuse. 2) Be cautious when using 'plugin' mode: that mode forwards conversation data to any webhook URL you supply, which could leak user data if the endpoint is untrusted. 3) The scripts cache a 7‑day token by default at /tmp/.unith_token_cache (chmod 600); set UNITH_TOKEN_CACHE to a secure path or empty to disable caching if desired. 4) The package has no homepage and an unknown publisher—review the included scripts (they are present and readable) and only install/run if you are comfortable with the code. If you want higher assurance, request a vendor/homepage or verify the API endpoints with UNITH directly.
Latest Release
v1.0.2
- Skill renamed from "unith-digital-humans" to "digital-clawatar". - Updated icon in metadata from 🧑💻 to 🧑💻. - No file or core logic changes; only metadata and documentation updated.
More by @polucas
Published by @polucas on ClawHub
