Reachy Mini

Control a Reachy Mini robot (by Pollen Robotics / Hugging Face) via its REST API and SSH. Use for any request involving the Reachy Mini robot — moving the head, body, or antennas; playing emotions or dances; capturing camera snapshots; adjusting volume; managing apps; checking robot status; or any physical robot interaction. The robot has a 6-DoF head, 360° body rotation, two animated antennas, a wide-angle camera (with non-disruptive WebRTC snapshot), 4-mic array, and speaker.

This skill appears to genuinely control a Reachy Mini, but pay attention to the following before installing: - Missing declarations: The skill metadata does NOT declare required environment variables or a primary credential, yet the scripts expect REACHY_HOST, REACHY_SSH_USER and REACHY_SSH_PASS. Treat that as a red flag — confirm where you'll store the robot host and credentials. - Credentials & defaults: The documentation uses a default SSH password ('root') and the scripts will use sshpass if provided. Prefer creating a dedicated, unprivileged account on the robot and using an SSH key; avoid placing a plaintext password in environment variables if possible. - Insecure SSH options: The scripts use StrictHostKeyChecking=no which disables host-key verification. That eases automation but makes man-in-the-middle attacks easier. If you proceed, replace sshpass/disabled host-key-checking with SSH keys and known_hosts pinning. - Binaries required at runtime: The scripts rely on curl, jq, ssh, scp, sshpass (optional) and on GStreamer/Python GObject for on-robot snapshots. Ensure these are present and that running them with provided credentials is acceptable in your environment. - Network & trust: The skill will attempt to contact whatever REACHY_HOST you configure (default is a local IP). Only install/use this skill on networks and devices you control and trust. Review the scripts (they are included) to verify they don't call any unexpected external endpoints — they only contact the robot in the provided files. If you plan to use this skill: (1) remove or change default credentials on the robot, (2) prefer an SSH key and drop sshpass usage, (3) pin the robot's SSH host key, (4) set the required env vars explicitly and securely, and (5) audit the CLI's 'raw' and 'app-install' commands before giving the agent autonomous invocation rights.

Type: OpenClaw Skill Name: reachy-mini Version: 1.1.0 The skill is classified as suspicious due to the insecure handling of SSH credentials. The `scripts/reachy.sh` script uses `sshpass` to provide the `REACHY_SSH_PASS` (default 'root') on the command line when performing camera snapshots. This exposes the SSH password in plaintext within the process list of the OpenClaw agent's host, which is a significant security risk. While the intent is to control the robot, this method of credential management is highly vulnerable to local information disclosure.