← 返回 Skills 市场
1025
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install mu-pet
功能描述
Animated pixel art desktop pet that roams the screen as an always-on-top Electron overlay. The pet avoids the cursor and active windows, walks along screen e...
安全使用建议
What to consider before installing:
- This installs a local Electron app in your home directory and runs npm install, which will fetch packages (electron, express) from npm and run any package install scripts — common for Node apps but a vector for supply-chain risk. Only proceed if you trust the skill source.
- The installer writes a LaunchAgent plist to ~/Library/LaunchAgents and loads it immediately so the pet auto-starts on login. The uninstall script removes this, but check the plist before allowing it to run.
- The app uses osascript (AppleScript via child_process.execSync) to read the frontmost window's bounds. macOS may prompt you for Automation/Accessibility/Automation permissions when this runs.
- The pet exposes an unauthenticated HTTP API on 127.0.0.1:18891. Any local process can call it to change the pet's state (show text bubbles, etc.). This is expected functionality but be aware of local access.
- The Electron BrowserWindow is created with nodeIntegration: true and contextIsolation: false (renderer has Node privileges). This is typical for simple local Electron tools, but increases impact if the renderer could be fed untrusted content. In this package the UI is local files; still, be cautious about editing or enabling remote content.
- If you want to be extra careful: inspect main.js/index.html yourself, run the app in a sandboxed environment first (or review npm install output), and verify the LaunchAgent plist path and ProgramArguments before loading it with launchctl.
Overall: the skill appears coherent for a macOS desktop pet; the risks are operational (npm install, LaunchAgent persistence, local unauthenticated API) rather than indicators of hidden malicious intent.
功能分析
Type: OpenClaw Skill
Name: mu-pet
Version: 1.0.0
The skill is classified as suspicious due to the use of `child_process.execSync` in `assets/app/main.js` and less secure Electron `webPreferences`. While `execSync` is currently used for a legitimate, hardcoded AppleScript command (to get frontmost window bounds) and includes sanitization, it represents a powerful primitive that could be exploited for shell injection if user input were to influence the command. Additionally, the Electron app runs with `nodeIntegration: true` and `contextIsolation: false`, which are less secure configurations that increase the attack surface. The `SKILL.md` provides instructions for the agent to interact with a local API, and while the API input is sanitized against direct JavaScript injection, the overall design includes high-risk capabilities that could lead to vulnerabilities.
能力评估
Purpose & Capability
Name/description match the implementation: an Electron overlay that moves around the screen, avoids cursor and frontmost window (using AppleScript to get front window bounds), and exposes a local HTTP API. macOS-only behavior (osascript, LaunchAgent) is coherent with the stated platform.
Instruction Scope
Runtime instructions and code stay within the pet's purpose. The app exposes an HTTP API on 127.0.0.1:18891 to set/get pet state (used by the agent). The app also runs osascript (via child_process.execSync) to query the frontmost application window — this accesses window bounds via System Events, which may trigger macOS Automation/Accessibility prompts. The local API is unauthenticated, so any local process can change the pet's state.
Install Mechanism
The provided install script copies the app to ~/.openclaw/desktop-pet and runs npm install --production. This pulls packages (electron, express) from npm — standard for Node apps but carries the usual npm risk (package code and lifecycle scripts executed during install). No remote arbitrary downloads or obscure short URLs are used; install artifacts are placed in a user directory and a LaunchAgent plist is written to ~/Library/LaunchAgents.
Credentials
No environment variables, credentials, or system-wide config paths beyond the user LaunchAgents folder are requested. The app legitimately needs system-level window/cursor info for its behavior; those accesses are local and aligned to the stated functionality.
Persistence & Privilege
Installer creates a LaunchAgent (label ai.openclaw.desktop-pet) with RunAtLoad and KeepAlive so the pet auto-starts at login and stays running. This is appropriate for a desktop companion but grants persistent user-level auto-launch; always:false (not force-included) and it does not modify other skills' configurations.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mu-pet - 安装完成后,直接呼叫该 Skill 的名称或使用
/mu-pet触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: pixel art lobster desktop pet. Transparent Electron overlay, roams full desktop, climbs walls/ceiling, avoids cursor and active windows, speech bubbles, HTTP API for agent state integration.
元数据
常见问题
Mu Pet 是什么?
Animated pixel art desktop pet that roams the screen as an always-on-top Electron overlay. The pet avoids the cursor and active windows, walks along screen e... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1025 次。
如何安装 Mu Pet?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mu-pet」即可一键安装,无需额外配置。
Mu Pet 是免费的吗?
是的,Mu Pet 完全免费(开源免费),可自由下载、安装和使用。
Mu Pet 支持哪些平台?
Mu Pet 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Mu Pet?
由 samskrta(@samskrta)开发并维护,当前版本 v1.0.0。
推荐 Skills