← 返回 Skills 市场
Clawatar
作者
Dongping-Chen
· GitHub ↗
· v0.2.0
1161
总下载
2
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install clawatar
功能描述
Give your AI agent a 3D VRM avatar body with animations, expressions, voice chat, and lip sync. Use when the user wants a visual avatar, VRM viewer, avatar companion, VTuber-style character, or 3D character they can talk to. Installs a web-based viewer controllable via WebSocket.
使用说明 (SKILL.md)
Clawatar — 3D VRM Avatar Viewer
Give your AI agent a body. Web-based VRM avatar with 162 animations, expressions, TTS lip sync, and AI chat.
Install & Start
# Clone and install
git clone https://github.com/Dongping-Chen/Clawatar.git ~/.openclaw/workspace/clawatar
cd ~/.openclaw/workspace/clawatar && npm install
# Start (Vite + WebSocket server)
npm run start
Opens at http://localhost:3000 with WS control at ws://localhost:8765.
Users must provide their own VRM model (drag & drop onto page, or set model.url in clawatar.config.json).
WebSocket Commands
Send JSON to ws://localhost:8765:
play_action
{"type": "play_action", "action_id": "161_Waving"}
set_expression
{"type": "set_expression", "name": "happy", "weight": 0.8}
Expressions: happy, angry, sad, surprised, relaxed
speak (requires ElevenLabs API key)
{"type": "speak", "text": "Hello!", "action_id": "161_Waving", "expression": "happy"}
reset
{"type": "reset"}
Quick Animation Reference
| Mood | Action ID |
|---|---|
| Greeting | 161_Waving |
| Happy | 116_Happy Hand Gesture |
| Thinking | 88_Thinking |
| Agreeing | 118_Head Nod Yes |
| Disagreeing | 144_Shaking Head No |
| Laughing | 125_Laughing |
| Sad | 142_Sad Idle |
| Dancing | 105_Dancing, 143_Samba Dancing, 164_Ymca Dance |
| Thumbs Up | 153_Standing Thumbs Up |
| Idle | 119_Idle |
Full list: public/animations/catalog.json (162 animations)
Sending Commands from Agent
cd ~/.openclaw/workspace/clawatar && node -e "
const W=require('ws'),s=new W('ws://localhost:8765');
s.on('open',()=>{s.send(JSON.stringify({type:'speak',text:'Hello!',action_id:'161_Waving',expression:'happy'}));setTimeout(()=>s.close(),1000)})
"
UI Features
- Touch reactions: Click avatar head/body for reactions
- Emotion bar: Quick 😊😢😠😮😌💃 buttons
- Background scenes: Sakura Garden, Night Sky, Café, Sunset
- Camera presets: Face, Portrait, Full Body, Cinematic
- Voice chat: Mic input → AI response → TTS lip sync
Config
Edit clawatar.config.json for ports, voice settings, model URL. TTS requires ElevenLabs API key in env (ELEVENLABS_API_KEY) or ~/.openclaw/openclaw.json under skills.entries.sag.apiKey.
Notes
- Animations from Mixamo — credit required, non-commercial
- VRM model not included (BYOM — Bring Your Own Model)
- Works standalone without OpenClaw; AI chat is optional
安全使用建议
This skill appears to do what it says (a local web-based VRM viewer with TTS), but there are several red flags you should address before installing: 1) The registry metadata omits that an ELEVENLABS_API_KEY and a config path (~/.openclaw/openclaw.json) are used — ask the publisher to update metadata. 2) The runtime requires git clone + npm install + npm run start of a third-party GitHub repo; inspect that repo, especially package.json and any npm scripts, before running. 3) Prefer providing ELEVENLABS_API_KEY via environment variable (ELEVENLABS_API_KEY) rather than writing it into a shared ~/.openclaw config; if you must store it, review who/what can read that file. 4) Run the viewer in an isolated environment (container or VM) if you cannot fully vet the code. 5) Verify licensing for Mixamo assets and confirm the GitHub repo's trustworthiness (owner, commit history, issues). If you want, ask the skill author for a homepage, signed release, or a minimal install payload (e.g., packaged release) rather than running npm install from master.
功能分析
Type: OpenClaw Skill
Name: clawatar
Version: 0.2.0
The skill's installation process involves cloning a remote Git repository and installing npm dependencies, introducing supply chain risks. More critically, the `SKILL.md` instructs the AI agent to execute arbitrary Node.js code via `node -e` to interact with the local WebSocket server. While the provided example is benign, this capability presents a significant prompt injection vulnerability, allowing for potential arbitrary code execution (RCE) if an attacker can control the input to the `node -e` command.
能力评估
Purpose & Capability
The declared purpose (3D VRM avatar with TTS/lip-sync) aligns with the runtime instructions (git clone a viewer, run npm, open local web + WebSocket). However the registry metadata lists no required env vars or config paths while SKILL.md explicitly requires an ELEVENLABS_API_KEY and references ~/.openclaw/openclaw.json — this mismatch is unexpected.
Instruction Scope
SKILL.md instructs cloning a GitHub repo, running npm install and npm run start (which will download and execute third-party JS), opening local ports, and optionally reading/storing an ElevenLabs API key in ~/.openclaw/openclaw.json under skills.entries.sag.apiKey. The instruction to persist a credential in a global config and the mismatch of the config key name (sag.apiKey) are scope-creep and potentially surprising to users.
Install Mechanism
There is no formal install spec in the registry; instead SKILL.md tells the agent/user to git clone https://github.com/Dongping-Chen/Clawatar and run npm install/start. That causes arbitrary code from a third-party repo and npm packages to be installed and executed on the host — normal for this functionality but a material risk unless the repo and package.json/scripts are reviewed.
Credentials
Requesting an ElevenLabs API key is proportional for TTS. But the registry incorrectly declares no env vars, and SKILL.md suggests storing the key either in the environment (ELEVENLABS_API_KEY) or in a shared ~/.openclaw/openclaw.json under a non-obvious key (skills.entries.sag.apiKey). Asking to persist credentials in a global/shared config without declaring it is concerning.
Persistence & Privilege
always:false (ok) and autonomous invocation is default (not by itself alarming). However the guidance to place an API key into the global OpenClaw config (which could be read by other skills) increases the blast radius for credential exposure. The skill also writes into ~/.openclaw/workspace/clawatar which is a persistent workspace location.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install clawatar - 安装完成后,直接呼叫该 Skill 的名称或使用
/clawatar触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.2.0
Initial ClawHub release. 3D VRM avatar viewer with 162 animations, expressions, ElevenLabs TTS lip sync, AI chat via OpenClaw, sakura/anime UI theme, touch reactions, emotion bar, background scenes, camera presets.
元数据
常见问题
Clawatar 是什么?
Give your AI agent a 3D VRM avatar body with animations, expressions, voice chat, and lip sync. Use when the user wants a visual avatar, VRM viewer, avatar companion, VTuber-style character, or 3D character they can talk to. Installs a web-based viewer controllable via WebSocket. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1161 次。
如何安装 Clawatar?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install clawatar」即可一键安装,无需额外配置。
Clawatar 是免费的吗?
是的,Clawatar 完全免费(开源免费),可自由下载、安装和使用。
Clawatar 支持哪些平台?
Clawatar 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Clawatar?
由 Dongping-Chen(@dongping-chen)开发并维护,当前版本 v0.2.0。
推荐 Skills