Safety Report

LiveAvatar

Name: LiveAvatar
Rating: 5 (8 reviews)
Author: eNNNo

@eNNNo

Talk face-to-face with your OpenClaw agent using a real-time video avatar powered by LiveAvatar

1,742Downloads

5Installs

8Stars

1Versions

Video & Audio1,618 Legal & Compliance738

Security Analysis

high confidence

Clean0.08 risk

The skill's requirements and runtime instructions match its purpose (running a LiveAvatar front-end that talks to OpenClaw and LiveAvatar), but it will download and run an npm package at runtime so you should vet the package and be mindful of voice/data privacy.

Feb 11, 20261 files2 concerns

Purpose & Capabilityok

Name/description, required binaries (node, npm), required env var (LIVEAVATAR_API_KEY), and the declared npm package (openclaw-liveavatar) are all consistent with providing a real‑time avatar frontend that uses LiveAvatar's service.

Instruction Scopenote

SKILL.md stays within the stated purpose: it checks for LIVEAVATAR_API_KEY, instructs the user to run the avatar (npx openclaw-liveavatar), and explains the local OpenClaw Gateway connection (port 18789) and localhost UI (http://localhost:3001). Be aware the instructions tell you to run npx which will fetch/execute code from npm at runtime; the doc does not request unrelated files, env vars, or system credentials.

Install Mechanismnote

The install uses an npm package (openclaw-liveavatar) which is a common mechanism but carries supply‑chain risk: npx/install will execute package code from the public registry. The SKILL.md includes a GitHub link to the project's repo, which helps auditability, but the manifest does not pin a specific package version.

Credentialsok

Only LIVEAVATAR_API_KEY is required which is appropriate for a third‑party avatar service. No unrelated credentials or config paths are requested.

Persistence & Privilegeok

The skill is not always-enabled and does not request elevated platform privileges. It runs a local server and connects to the local OpenClaw Gateway as expected; there is no indication it modifies other skills or system-wide settings.

Guidance

This skill appears coherent with its stated purpose, but take these precautions before installing: - Review the npm package source (https://github.com/eNNNo/openclaw-liveavatar) or the published package contents before running npx to ensure no unexpected behavior. - Prefer installing a pinned package version (npm install openclaw-liveavatar@<version>) rather than always running npx on the latest tag. - Be aware audio and transcriptions are sent to LiveAvatar and your OpenClaw Gateway; avoid using sensitive voice data unless you trust those services and their privacy policies. - Store the LIVEAVATAR_API_KEY in a secure place (not a world-readable file); avoid exporting secrets in shared shells. - The skill launches a local web UI (http://localhost:3001) — ensure you only run it on trusted networks and close the session when finished. If you cannot or will not review the package code, treat the runtime npm install as a potential risk and consider declining installation.

Latest Release

v1.0.1

Initial release: voice/video avatar interface for OpenClaw agents

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @eNNNo on ClawHub