📦 Avatar — AI虚拟形象
v1.0.0集成 Simli 视频渲染与 ElevenLabs 文本转语音,一键生成可交互的 AI 数字人,支持实时口型同步与多语言语音,适用于直播、客服、教育等场景。
0· 1.3k·9 当前·9 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
high confidenceThe skill mostly does what it says (Simli video + ElevenLabs TTS) but its code asks for and exposes secrets and performs persistent actions that are not declared in the SKILL.md metadata, so the package contains incoherent/under-documented behaviors you should understand before installing.
评估建议
What to consider before installing:
- The skill is generally consistent with an avatar frontend (Simli + ElevenLabs) but the server also connects to an OpenClaw gateway and supports Slack/email/Stream Deck integrations. Those integrations require additional environment variables (OPENCLAW_TOKEN, SLACK_BOT_TOKEN) even though the SKILL.md only lists SIMLI_API_KEY and ELEVENLABS_API_KEY.
- The server writes a device-key.json (an on-disk private key) and establishes persistent WebSocket connection...详细分析 ▾
ℹ 用途与能力
The name/description (avatar with Simli + ElevenLabs TTS) matches the code and dependencies (simli-client, ElevenLabs TTS calls). However the server also integrates with an OpenClaw gateway and optional Slack/email/Stream Deck integrations — these require additional credentials/configuration not clearly declared in the SKILL.md required envs.
⚠ 指令范围
SKILL.md only declares SIMLI_API_KEY and ELEVENLABS_API_KEY and instructs installing and running the CLI, but runtime code reads additional environment variables (OPENCLAW_TOKEN, SLACK_BOT_TOKEN, ELEVENLABS_VOICE_ID) and exposes the Simli API key to the browser via /api/client-config. The server also creates a persistent device-key.json (private key) and opens WebSocket connections to the configured gateway URL — these actions are not described in the metadata/instructions.
ℹ 安装机制
This is an instruction-only skill but SKILL.md suggests 'npm install -g openclaw-avatar'. The code and package.json look like a normal npm package with reasonable dependencies; installing from npm is moderate risk and should be done from a trusted source. There is no remote URL download or extractor in the install spec.
⚠ 凭证需求
Declared required env vars (SIMLI_API_KEY, ELEVENLABS_API_KEY) are expected. But the code also reads OPENCLAW_TOKEN and SLACK_BOT_TOKEN (and optional ELEVENLABS_VOICE_ID) without those being declared as required. Worse, the Simli API key is included in the client config and served to the browser, which exposes a secret that SKILL.md does not warn about.
⚠ 持久化与权限
The server generates and writes a device-key.json (private key + public key) to the working directory, and will maintain long-lived WebSocket connections to an OpenClaw gateway. always:false (normal), but the written key and persistent gateway connection increase the skill's persistence and blast radius and are not clearly documented in SKILL.md.
安全有层次,运行前请审查代码。
运行时依赖
🖥️ OSmacOS · Linux · Windows
版本
latestv1.0.02026/2/8
Initial release: Interactive AI avatar with Simli video and ElevenLabs TTS
● 可疑
安装命令
点击复制官方npx clawhub@latest install avatar
镜像加速npx clawhub@latest install avatar --registry https://cn.longxiaskill.com