← Back to Skills Marketplace
1025
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install mu-pet
Description
Animated pixel art desktop pet that roams the screen as an always-on-top Electron overlay. The pet avoids the cursor and active windows, walks along screen e...
Usage Guidance
What to consider before installing:
- This installs a local Electron app in your home directory and runs npm install, which will fetch packages (electron, express) from npm and run any package install scripts — common for Node apps but a vector for supply-chain risk. Only proceed if you trust the skill source.
- The installer writes a LaunchAgent plist to ~/Library/LaunchAgents and loads it immediately so the pet auto-starts on login. The uninstall script removes this, but check the plist before allowing it to run.
- The app uses osascript (AppleScript via child_process.execSync) to read the frontmost window's bounds. macOS may prompt you for Automation/Accessibility/Automation permissions when this runs.
- The pet exposes an unauthenticated HTTP API on 127.0.0.1:18891. Any local process can call it to change the pet's state (show text bubbles, etc.). This is expected functionality but be aware of local access.
- The Electron BrowserWindow is created with nodeIntegration: true and contextIsolation: false (renderer has Node privileges). This is typical for simple local Electron tools, but increases impact if the renderer could be fed untrusted content. In this package the UI is local files; still, be cautious about editing or enabling remote content.
- If you want to be extra careful: inspect main.js/index.html yourself, run the app in a sandboxed environment first (or review npm install output), and verify the LaunchAgent plist path and ProgramArguments before loading it with launchctl.
Overall: the skill appears coherent for a macOS desktop pet; the risks are operational (npm install, LaunchAgent persistence, local unauthenticated API) rather than indicators of hidden malicious intent.
Capability Analysis
Type: OpenClaw Skill
Name: mu-pet
Version: 1.0.0
The skill is classified as suspicious due to the use of `child_process.execSync` in `assets/app/main.js` and less secure Electron `webPreferences`. While `execSync` is currently used for a legitimate, hardcoded AppleScript command (to get frontmost window bounds) and includes sanitization, it represents a powerful primitive that could be exploited for shell injection if user input were to influence the command. Additionally, the Electron app runs with `nodeIntegration: true` and `contextIsolation: false`, which are less secure configurations that increase the attack surface. The `SKILL.md` provides instructions for the agent to interact with a local API, and while the API input is sanitized against direct JavaScript injection, the overall design includes high-risk capabilities that could lead to vulnerabilities.
Capability Assessment
Purpose & Capability
Name/description match the implementation: an Electron overlay that moves around the screen, avoids cursor and frontmost window (using AppleScript to get front window bounds), and exposes a local HTTP API. macOS-only behavior (osascript, LaunchAgent) is coherent with the stated platform.
Instruction Scope
Runtime instructions and code stay within the pet's purpose. The app exposes an HTTP API on 127.0.0.1:18891 to set/get pet state (used by the agent). The app also runs osascript (via child_process.execSync) to query the frontmost application window — this accesses window bounds via System Events, which may trigger macOS Automation/Accessibility prompts. The local API is unauthenticated, so any local process can change the pet's state.
Install Mechanism
The provided install script copies the app to ~/.openclaw/desktop-pet and runs npm install --production. This pulls packages (electron, express) from npm — standard for Node apps but carries the usual npm risk (package code and lifecycle scripts executed during install). No remote arbitrary downloads or obscure short URLs are used; install artifacts are placed in a user directory and a LaunchAgent plist is written to ~/Library/LaunchAgents.
Credentials
No environment variables, credentials, or system-wide config paths beyond the user LaunchAgents folder are requested. The app legitimately needs system-level window/cursor info for its behavior; those accesses are local and aligned to the stated functionality.
Persistence & Privilege
Installer creates a LaunchAgent (label ai.openclaw.desktop-pet) with RunAtLoad and KeepAlive so the pet auto-starts at login and stays running. This is appropriate for a desktop companion but grants persistent user-level auto-launch; always:false (not force-included) and it does not modify other skills' configurations.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install mu-pet - After installation, invoke the skill by name or use
/mu-pet - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: pixel art lobster desktop pet. Transparent Electron overlay, roams full desktop, climbs walls/ceiling, avoids cursor and active windows, speech bubbles, HTTP API for agent state integration.
Metadata
Frequently Asked Questions
What is Mu Pet?
Animated pixel art desktop pet that roams the screen as an always-on-top Electron overlay. The pet avoids the cursor and active windows, walks along screen e... It is an AI Agent Skill for Claude Code / OpenClaw, with 1025 downloads so far.
How do I install Mu Pet?
Run "/install mu-pet" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Mu Pet free?
Yes, Mu Pet is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Mu Pet support?
Mu Pet is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Mu Pet?
It is built and maintained by samskrta (@samskrta); the current version is v1.0.0.
More Skills