Back to skill
Skillv1.0.0
ClawScan security
AI 3D generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 5:35 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with its stated purpose of driving Neural4D text/image-to-3D pipelines; nothing requested is disproportionate or unrelated.
- Guidance
- This skill is instruction-only and appears to do what it says: call Neural4D endpoints to generate and convert 3D assets. Before installing, confirm the API host (https://alb.neural4d.com:3000) is the legitimate service you expect, and avoid putting a high-privilege/shared token in a global environment variable — prefer a dedicated API token with limited quota. Expect the skill to upload images and download model files to the configured ~/neural4d-3d-generation/ directory; ensure you are comfortable with that directory being used. Monitor API usage (the skill warns about point costs) and test with a small/limited token or sandbox account first. If you need stronger assurance, ask the publisher for a homepage or documentation and verify the domain and service ownership.
Review Dimensions
- Purpose & Capability
- okName/description (AI 3D generation via Neural4D) align with the SKILL.md: endpoints, async polling, matting and conversion pipelines, and downloading model URLs. Required binaries (curl, jq) are reasonable for an instruction-only HTTP-based integration. The declared config path (~/neural4d-3d-generation/) is plausible for storing model artifacts. Minor note: the registry metadata lists no required env vars but the SKILL.md expects an optional NEURAL4D_API_TOKEN; this is a small metadata/optional-credential mismatch, not functional incoherence.
- Instruction Scope
- okThe instructions confine operations to calling Neural4D endpoints, polling job status, uploading images for matting, and downloading model files. They do not instruct the agent to read unrelated files, search system state, or send data to unexpected endpoints. All external network activity is targeted at the documented base URL.
- Install Mechanism
- okNo install spec or code files — instruction-only — so nothing will be written or executed on disk by an installer. This is the lowest-risk install model.
- Credentials
- noteThe only credential mentioned is NEURAL4D_API_TOKEN (documented in SKILL.md as required for API calls and marked optional in metadata). That single API token is proportional to making authenticated requests. The skill requests a configuration directory for storing artifacts; this is reasonable but means filesystem write/read permissions will be used in that path. There are no unrelated secrets or multiple credentials requested.
- Persistence & Privilege
- okThe skill does not request always:true and is user-invocable. It does not claim to modify other skills or system-wide settings. No persistent installation steps are defined.