
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@livekit/agents-plugin-liveavatar
Advanced tools
Support for LiveAvatar interactive avatars.
This is the JS/TS port of the Python livekit-plugins-liveavatar plugin. See https://docs.livekit.io/agents/models/avatar/plugins/liveavatar/ for more information.
npm install @livekit/agents-plugin-liveavatar
or
pnpm add @livekit/agents-plugin-liveavatar
Create a developer API key from the LiveAvatar dashboard and set the LIVEAVATAR_API_KEY environment variable with it:
export LIVEAVATAR_API_KEY=<your-liveavatar-api-key>
import { AvatarSession } from '@livekit/agents-plugin-liveavatar';
import { AgentSession } from '@livekit/agents';
const avatarSession = new AvatarSession({
avatarId: 'your-avatar-id', // or via LIVEAVATAR_AVATAR_ID
apiKey: process.env.LIVEAVATAR_API_KEY,
videoQuality: 'high', // optional: 'very_high' | 'high' | 'medium' | 'low'
});
await avatarSession.start(agentSession, room, {
livekitUrl: process.env.LIVEKIT_URL,
livekitApiKey: process.env.LIVEKIT_API_KEY,
livekitApiSecret: process.env.LIVEKIT_API_SECRET,
});
AvatarSessionavatarId?: string — The LiveAvatar avatar id. Falls back to LIVEAVATAR_AVATAR_ID.apiUrl?: string — Override the LiveAvatar API base URL.apiKey?: string — Your LiveAvatar API key. Falls back to LIVEAVATAR_API_KEY.isSandbox?: boolean — Use the LiveAvatar sandbox (1 minute connection limit). Defaults to false.videoQuality?: 'very_high' | 'high' | 'medium' | 'low' — Avatar video quality requested from the service. When omitted, the LiveAvatar service decides.avatarParticipantIdentity?: string — Identity for the avatar participant. Defaults to 'liveavatar-avatar-agent'.avatarParticipantName?: string — Display name for the avatar participant. Defaults to 'liveavatar-avatar-agent'.connOptions?: APIConnectOptions — API retry/timeout options.start(agentSession, room, options?)Starts the avatar session, brings up a LiveAvatar streaming session, opens the realtime websocket, and routes the agent's audio output through to the avatar.
StartOptions:
livekitUrl?: string — Falls back to LIVEKIT_URL.livekitApiKey?: string — Falls back to LIVEKIT_API_KEY.livekitApiSecret?: string — Falls back to LIVEKIT_API_SECRET.Apache 2.0
FAQs
LiveAvatar avatar plugin for LiveKit Node Agents
The npm package @livekit/agents-plugin-liveavatar receives a total of 116 weekly downloads. As such, @livekit/agents-plugin-liveavatar popularity was classified as not popular.
We found that @livekit/agents-plugin-liveavatar demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 20 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.