Craftsman Agent Build Plans
v0.1.0Turn prompts or ideas into 3D assembly/build plans such as LEGO Minecraft via the Craftsman Agent API (OneKey Gateway or local server). Use when generating b...
⭐ 0· 106·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the included scripts and instructions: the Python/TypeScript scripts call the stated OneKey Gateway endpoint to request LEGO/Minecraft build plans. The code and declared dependencies are consistent with making API calls to an external service. However, registry metadata lists no required env vars while SKILL.md and the scripts explicitly expect DEEPNLP_ONEKEY_ROUTER_ACCESS — this metadata mismatch should be clarified.
Instruction Scope
SKILL.md directs the agent to read server routes at python/src/server.py, but no such file exists in the bundle (repository only contains scripts). The runtime instructions also instruct use of the OneKey router and to run the included scripts; those scripts perform straightforward POST requests. The instructions are otherwise scoped to the stated task, but the missing server file and the guidance to fallback to a demo key (see below) are inconsistent and warrant caution.
Install Mechanism
This is an instruction-only skill with included scripts; there is no install spec that downloads arbitrary code from unknown URLs. SKILL.md recommends installing an npm package and a Python package (names provided). That is reasonable for the task; the packages are standard install methods (npm/pip).
Credentials
The only runtime secret used is DEEPNLP_ONEKEY_ROUTER_ACCESS, which is appropriate for a gateway API. Concerns: (1) the scripts append the API key as a URL query parameter (onekey=...) which can be logged by servers/proxies — not best practice for secret handling; (2) a hard-coded demo key (BETA_TEST_KEY_MARCH_2026) is embedded in the code and used as a fallback, which is a weakly scoped credential in the bundle; and (3) the top-level registry metadata omits the env var requirement while SKILL.md marks it required — inconsistent declarations.
Persistence & Privilege
The skill does not request always-on privileges, does not modify other skills or global agent config, and has no required config paths. Autonomous invocation is allowed (platform default) but not combined with other elevated privileges.
Assessment
This skill appears to do what it says (call an external Craftsman Agent endpoint and return build-plan JSON), but take these precautions before installing or using it: 1) Verify the DEEPNLP_ONEKEY_ROUTER_ACCESS requirement — the registry metadata omits it but the scripts use it. 2) Review and confirm the external endpoint (https://agent.deepnlp.org/agent) is trustworthy; the scripts send your API key as a URL query parameter which may be logged by intermediaries. 3) Note the repo embeds a demo key; do not rely on it for production or expose sensitive real keys while testing. 4) The SKILL.md references a server file (python/src/server.py) that is not present — ask the author or vendor for the missing server code or clarification. 5) If you will run the scripts, consider running them in an isolated environment and review/limit network access if you do not trust the remote endpoint. If you need higher assurance, ask the publisher for provenance (homepage, owner contact) and a signed release or further documentation.scripts/generate_lego_build_plan.ts:44
Environment variable access combined with network send.
scripts/generate_minecraft_build_plan.ts:44
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.Like a lobster shell, security has layers — review code before you run it.
latestvk9734fyzhe09x235tbhmqary1583c9g2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.