← Back to Skills Marketplace

Star Office

Name: Star Office
Author: 18153

by 18153 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

193

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install star-office

Description

Star Office UI 一键化 Skill：帮主人快速部署像素办公室看板，支持多 Agent 加入、状态可视化、移动端查看与公网访问。

Usage Guidance

What to check before you install/run this Skill: - Environment variables: the skill metadata lists none, but SKILL.md and the backend expect ASSET_DRAWER_PASS (default 1234), FLASK_SECRET_KEY/STAR_OFFICE_SECRET, and optional GEMINI_API_KEY/GEMINI_MODEL. Treat GEMINI_API_KEY as sensitive and only add it if you need image-generation. - Default credentials: change ASSET_DRAWER_PASS (1234) and set a strong FLASK_SECRET_KEY before exposing the service. The backend will refuse to run in 'production' if secrets are weak, but when run locally the defaults are permissive. - Filesystem scope: the backend intentionally reads/writes files in parent directories (../memory and ../skills). Run this in an isolated directory, container, or VM so the service cannot accidentally read unrelated files from your home or system. - Network exposure: SKILL.md suggests using Cloudflare Tunnel to expose the UI publicly. Only do so after hardening secrets, and prefer using a reverse proxy or a controlled host. Verify join-keys and who can push agent status before making the site public. - Source origin: the SKILL.md still instructs to git clone the GitHub repo even though the skill bundle contains source files. Prefer using the included bundle (inspect it) rather than fetching remote code unless you trust the remote repository. - Prompt-injection scan hit: a pre-scan flagged a base64-like block. Inspect SKILL.md and the provided files for any encoded or obfuscated blocks before executing automated steps. - Run safely: first run in a disposable environment (container, VM) and perform the optional smoke_test (scripts/smoke_test.py) to validate behavior. Review backend/app.py, scripts/office-agent-push.py and any code that performs network calls to ensure endpoints and behavior are acceptable for your environment. If you need, I can list specific files to audit (e.g., backend/app.py, store_utils.py, any scripts that perform HTTP requests) or produce commands to run the service safely inside a container.

Capability Analysis

Type: OpenClaw Skill Name: star-office Version: 1.0.0 The skill bundle provides a pixel-art dashboard for AI agents but is classified as suspicious due to critical vulnerabilities in 'backend/app.py'. Specifically, the functions '_animated_to_spritesheet' and '_generate_rpg_background_to_webp' use 'os.system' and 'subprocess.run' with string formatting to execute shell commands (ffmpeg, ImageMagick, and python scripts). This pattern is highly susceptible to shell injection if asset filenames or prompt inputs are not strictly sanitized. Additionally, 'SKILL.md' instructs the AI agent to perform high-privilege operations such as 'git clone' and 'pip install' on the host system. While these behaviors are functionally aligned with the stated purpose of deploying a dashboard, the underlying code's lack of security hardening around shell execution poses a significant risk.

Capability Assessment

ℹ Purpose & Capability

The code and SKILL.md align with the stated purpose: a multi-agent pixel-office UI with optional AI image generation. Optional Gemini integration and a sidebar password feature match the described capabilities. However, the published skill metadata declares no required environment variables or credentials while the runtime instructions and code expect/encourage environment variables such as ASSET_DRAWER_PASS, GEMINI_API_KEY and GEMINI_MODEL — this is an incoherence between declared requirements and actual usage.

⚠ Instruction Scope

SKILL.md instructs the agent to run shell commands (git clone, pip install, run backend), copy scripts into a ../skills directory, create a venv at ../skills/gemini-image-generate/.venv and put user data in a parent-level memory/ directory. The backend code also reads/writes files in parent directories (MEMORY_DIR = ../memory and GEMINI script path in ../skills). Accessing/copying files outside the project root and instructing to expose a local server via Cloudflare Tunnel are surprising scope expansions and can expose private files or services if run from an environment with sensitive parent folders.

ℹ Install Mechanism

This is an instruction-only skill (no install spec). The runtime steps clone from GitHub and install Python packages via pip (requirements.txt). The skill bundle itself already contains the repo files but SKILL.md still instructs cloning the remote repo — redundant but not inherently malicious. There are no downloads from obscure URLs in the provided files, and dependencies are standard (Flask, Pillow).

⚠ Credentials

The skill metadata lists no required env vars, yet the code and SKILL.md reference/encourage setting ASSET_DRAWER_PASS, FLASK_SECRET_KEY / STAR_OFFICE_SECRET and optional GEMINI_API_KEY/GEMINI_MODEL. GEMINI_API_KEY is optional for image generation, which is reasonable, but the missing declaration of these environment requirements in the skill metadata is an inconsistency that could mislead users. Also the backend will read GEMINI keys from env or runtime-config files and will write runtime config files (with chmod attempts).

ℹ Persistence & Privilege

always:false (normal). The service persists state files (state.json, join-keys.json, agents-state.json, asset-*.json) under the project root and will auto-create them. More notable: the backend reads/writes to parent-directory paths (../memory and ../skills) which gives it broader filesystem reach than just the repo directory. That behavior increases potential for accidental access to nearby files and should be considered before running in a sensitive host environment.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install star-office
After installation, invoke the skill by name or use /star-office
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

star-office-ui 1.0.0 — Initial Release - Enables one-click deployment of a pixel office dashboard supporting multiple agents, status visualization, mobile viewing, and public access. - Adds sidebar with customizable asset management and password protection (default: 1234), with strong password recommended for production/public use. - Integrates with Gemini API for AI-powered room redesign; basic features work without API. - Supports three languages (Chinese/English/Japanese) and self-managed art assets. - Provides clear setup steps, state switching commands, and public access instructions (Cloudflare Tunnel recommended). - Includes major March 2026 updates: - Asset copyright clarification (MIT for code, no commercial use for art assets, main character now a cat). - Security and stability fixes (CDN cache, frontend, image generation async mode, sidebar UX, join key enhancements). - Upgrade guidance and change reminders for existing users.

Metadata

Slug star-office

Version 1.0.0

License MIT-0

All-time Installs 4

Active Installs 4

Total Versions 1

Frequently Asked Questions

What is Star Office?

Star Office UI 一键化 Skill：帮主人快速部署像素办公室看板，支持多 Agent 加入、状态可视化、移动端查看与公网访问。 It is an AI Agent Skill for Claude Code / OpenClaw, with 193 downloads so far.

How do I install Star Office?

Run "/install star-office" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Star Office free?

Yes, Star Office is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Star Office support?

Star Office is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Star Office?

It is built and maintained by 18153 (@18153); the current version is v1.0.0.

More Skills