Is ennno/liveavatar safe?

https://github.com/openclaw/skills/tree/main/skills/ennno/liveavatar

74
CAUTION

The liveavatar skill's SKILL.md is largely clean with no prompt injection attempts or instructions to access sensitive files. The installation behavior is exemplary — only two files are placed on disk with no unexpected network or process activity. The primary risks are runtime concerns: the skill instructs execution of an unaudited, unpinned npm package (openclaw-liveavatar) that runs with full OS access and routes all voice and conversation data through the third-party liveavatar.com platform. Users who invoke this skill should understand that all spoken audio near their device and all agent responses will transit a commercial service with unknown data retention policies.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (7)

HIGH Unaudited npm package executed via npx at runtime -30

The skill instructs the agent to run npx openclaw-liveavatar without a pinned version. This downloads and executes arbitrary code from the npm registry under the package author's control. The package runs as a local server with full filesystem and network access. Its install scripts, source code, and dependencies have not been audited as part of this review.

HIGH Voice audio and conversation content transmitted to third-party service -25

The skill's design requires all user speech and all agent responses to be transmitted to liveavatar.com, a commercial third-party platform. There is no indication of data retention limits, encryption at rest guarantees, or audit logging access for the end user. Every conversation held while the skill is active is exposed to an external party.

MEDIUM No version pinning — supply chain risk on every invocation -15

Using npx openclaw-liveavatar without a version specifier means each invocation could pull a different, potentially compromised version of the package. If the npm account for openclaw-liveavatar is compromised or the package is abandoned and reregistered, a malicious payload would be silently executed.

MEDIUM Ambient microphone capture enables passive audio surveillance -20

The skill activates the user's microphone for real-time listening. Any sensitive verbal communication in the user's physical environment (passwords spoken aloud, private calls, business discussions) is captured and processed by the liveavatar.com platform and the unaudited npm package. This bypass of text-channel controls is a meaningful risk uplift.

MEDIUM Runtime npm package has unreviewed filesystem and network access -15

The openclaw-liveavatar npm package runs with the same OS permissions as the agent process. It could read local credential files, environment variables, or SSH keys and exfiltrate them through the liveavatar.com WebSocket or HTTP channel. This risk is not mitigated by the clean install behavior since the package only runs at user invocation.

LOW Installation is clean — no suspicious activity during clone 0

The git clone fetched only SKILL.md and _meta.json via sparse checkout of the openclaw/skills monorepo. No unexpected processes were spawned, no files were created outside the target directory, and no connections to non-GitHub endpoints were initiated during installation.

INFO Canary file reads are attributable to oathe audit framework, not the skill 0

Reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials occurred at timestamps before (1771928570) and after (1771928594) the install. All opens are CLOSE_NOWRITE. The timing and pattern is consistent with oathe's own pre/post-install baseline scans. No data was written or transmitted.