← Back to Skills Marketplace
Clawatar
by
Dongping-Chen
· GitHub ↗
· v0.2.0
1161
Downloads
2
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install clawatar
Description
Give your AI agent a 3D VRM avatar body with animations, expressions, voice chat, and lip sync. Use when the user wants a visual avatar, VRM viewer, avatar companion, VTuber-style character, or 3D character they can talk to. Installs a web-based viewer controllable via WebSocket.
README (SKILL.md)
Clawatar — 3D VRM Avatar Viewer
Give your AI agent a body. Web-based VRM avatar with 162 animations, expressions, TTS lip sync, and AI chat.
Install & Start
# Clone and install
git clone https://github.com/Dongping-Chen/Clawatar.git ~/.openclaw/workspace/clawatar
cd ~/.openclaw/workspace/clawatar && npm install
# Start (Vite + WebSocket server)
npm run start
Opens at http://localhost:3000 with WS control at ws://localhost:8765.
Users must provide their own VRM model (drag & drop onto page, or set model.url in clawatar.config.json).
WebSocket Commands
Send JSON to ws://localhost:8765:
play_action
{"type": "play_action", "action_id": "161_Waving"}
set_expression
{"type": "set_expression", "name": "happy", "weight": 0.8}
Expressions: happy, angry, sad, surprised, relaxed
speak (requires ElevenLabs API key)
{"type": "speak", "text": "Hello!", "action_id": "161_Waving", "expression": "happy"}
reset
{"type": "reset"}
Quick Animation Reference
| Mood | Action ID |
|---|---|
| Greeting | 161_Waving |
| Happy | 116_Happy Hand Gesture |
| Thinking | 88_Thinking |
| Agreeing | 118_Head Nod Yes |
| Disagreeing | 144_Shaking Head No |
| Laughing | 125_Laughing |
| Sad | 142_Sad Idle |
| Dancing | 105_Dancing, 143_Samba Dancing, 164_Ymca Dance |
| Thumbs Up | 153_Standing Thumbs Up |
| Idle | 119_Idle |
Full list: public/animations/catalog.json (162 animations)
Sending Commands from Agent
cd ~/.openclaw/workspace/clawatar && node -e "
const W=require('ws'),s=new W('ws://localhost:8765');
s.on('open',()=>{s.send(JSON.stringify({type:'speak',text:'Hello!',action_id:'161_Waving',expression:'happy'}));setTimeout(()=>s.close(),1000)})
"
UI Features
- Touch reactions: Click avatar head/body for reactions
- Emotion bar: Quick 😊😢😠😮😌💃 buttons
- Background scenes: Sakura Garden, Night Sky, Café, Sunset
- Camera presets: Face, Portrait, Full Body, Cinematic
- Voice chat: Mic input → AI response → TTS lip sync
Config
Edit clawatar.config.json for ports, voice settings, model URL. TTS requires ElevenLabs API key in env (ELEVENLABS_API_KEY) or ~/.openclaw/openclaw.json under skills.entries.sag.apiKey.
Notes
- Animations from Mixamo — credit required, non-commercial
- VRM model not included (BYOM — Bring Your Own Model)
- Works standalone without OpenClaw; AI chat is optional
Usage Guidance
This skill appears to do what it says (a local web-based VRM viewer with TTS), but there are several red flags you should address before installing: 1) The registry metadata omits that an ELEVENLABS_API_KEY and a config path (~/.openclaw/openclaw.json) are used — ask the publisher to update metadata. 2) The runtime requires git clone + npm install + npm run start of a third-party GitHub repo; inspect that repo, especially package.json and any npm scripts, before running. 3) Prefer providing ELEVENLABS_API_KEY via environment variable (ELEVENLABS_API_KEY) rather than writing it into a shared ~/.openclaw config; if you must store it, review who/what can read that file. 4) Run the viewer in an isolated environment (container or VM) if you cannot fully vet the code. 5) Verify licensing for Mixamo assets and confirm the GitHub repo's trustworthiness (owner, commit history, issues). If you want, ask the skill author for a homepage, signed release, or a minimal install payload (e.g., packaged release) rather than running npm install from master.
Capability Analysis
Type: OpenClaw Skill
Name: clawatar
Version: 0.2.0
The skill's installation process involves cloning a remote Git repository and installing npm dependencies, introducing supply chain risks. More critically, the `SKILL.md` instructs the AI agent to execute arbitrary Node.js code via `node -e` to interact with the local WebSocket server. While the provided example is benign, this capability presents a significant prompt injection vulnerability, allowing for potential arbitrary code execution (RCE) if an attacker can control the input to the `node -e` command.
Capability Assessment
Purpose & Capability
The declared purpose (3D VRM avatar with TTS/lip-sync) aligns with the runtime instructions (git clone a viewer, run npm, open local web + WebSocket). However the registry metadata lists no required env vars or config paths while SKILL.md explicitly requires an ELEVENLABS_API_KEY and references ~/.openclaw/openclaw.json — this mismatch is unexpected.
Instruction Scope
SKILL.md instructs cloning a GitHub repo, running npm install and npm run start (which will download and execute third-party JS), opening local ports, and optionally reading/storing an ElevenLabs API key in ~/.openclaw/openclaw.json under skills.entries.sag.apiKey. The instruction to persist a credential in a global config and the mismatch of the config key name (sag.apiKey) are scope-creep and potentially surprising to users.
Install Mechanism
There is no formal install spec in the registry; instead SKILL.md tells the agent/user to git clone https://github.com/Dongping-Chen/Clawatar and run npm install/start. That causes arbitrary code from a third-party repo and npm packages to be installed and executed on the host — normal for this functionality but a material risk unless the repo and package.json/scripts are reviewed.
Credentials
Requesting an ElevenLabs API key is proportional for TTS. But the registry incorrectly declares no env vars, and SKILL.md suggests storing the key either in the environment (ELEVENLABS_API_KEY) or in a shared ~/.openclaw/openclaw.json under a non-obvious key (skills.entries.sag.apiKey). Asking to persist credentials in a global/shared config without declaring it is concerning.
Persistence & Privilege
always:false (ok) and autonomous invocation is default (not by itself alarming). However the guidance to place an API key into the global OpenClaw config (which could be read by other skills) increases the blast radius for credential exposure. The skill also writes into ~/.openclaw/workspace/clawatar which is a persistent workspace location.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install clawatar - After installation, invoke the skill by name or use
/clawatar - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.0
Initial ClawHub release. 3D VRM avatar viewer with 162 animations, expressions, ElevenLabs TTS lip sync, AI chat via OpenClaw, sakura/anime UI theme, touch reactions, emotion bar, background scenes, camera presets.
Metadata
Frequently Asked Questions
What is Clawatar?
Give your AI agent a 3D VRM avatar body with animations, expressions, voice chat, and lip sync. Use when the user wants a visual avatar, VRM viewer, avatar companion, VTuber-style character, or 3D character they can talk to. Installs a web-based viewer controllable via WebSocket. It is an AI Agent Skill for Claude Code / OpenClaw, with 1161 downloads so far.
How do I install Clawatar?
Run "/install clawatar" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Clawatar free?
Yes, Clawatar is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Clawatar support?
Clawatar is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Clawatar?
It is built and maintained by Dongping-Chen (@dongping-chen); the current version is v0.2.0.
More Skills