ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Generate Lego 3D Build Plan

v1.0.5

Call Craftsman Agent API OneKey Router to generate a LEGO 3D step-by-step instruction build plan.

0· 101·0 current·0 all-time
by@ai-hub-admin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The described purpose (call Craftsman Agent via a OneKey router to generate LEGO build plans) aligns with the included scripts and endpoint (https://agent.deepnlp.org/agent_router). However the registry metadata earlier stated 'Required env vars: none' while the SKILL.md (and both scripts) require DEEPNLP_ONEKEY_ROUTER_ACCESS — this mismatch is a red flag about the accuracy/trustworthiness of the package metadata.
Instruction Scope
SKILL.md and the scripts are narrowly scoped: they validate input image URLs, build a JSON payload (prompt, images, mode, unique_id, api_id) and POST it to the stated agent router. They do not read arbitrary local files or other environment variables.
Install Mechanism
There is no install spec or external downloads; this is instruction-only with small included scripts. Nothing in the install surface installs extra binaries or writes arbitrary archives to disk.
!
Credentials
The skill requires a single API credential (DEEPNLP_ONEKEY_ROUTER_ACCESS), which is proportional to calling a remote API. The concern is the inconsistency: registry metadata advertised no required env vars while SKILL.md and both scripts require and will transmit this secret to agent.deepnlp.org (header X-OneKey). The lack of a declared primary credential and absent homepage/source amplify the trust risk.
Persistence & Privilege
The skill does not request persistent presence, does not set always:true, and does not modify agent/system configs. It runs only when invoked.
What to consider before installing
This skill appears to do what it says (POST your prompt/images to DeepNLP's OneKey router to get a LEGO build plan), but the package metadata omitted the required API key while the SKILL.md and scripts do require it. Before installing or running: 1) Verify you trust the endpoint (https://agent.deepnlp.org) and the unknown publisher — there's no homepage/source listed. 2) Treat DEEPNLP_ONEKEY_ROUTER_ACCESS as a secret: use a key with limited scope and rotate it if you test the skill. 3) Prefer running the scripts in an isolated environment (container/vm) and inspect network traffic if you need assurance of behavior. 4) Ask the publisher/registry to correct the metadata (declare the required env var and a homepage) — if they provide a reputable source or docs, this would reduce the concern. 5) If you already supplied a high-privilege or reused key, consider revoking/rotating it. Additional info that would raise confidence to 'high/benign': a verifiable publisher homepage, registry metadata corrected to list the required env var, or independent documentation for the Craftsman Agent/DeepNLP OneKey router.
scripts/generate_lego_build_plan.ts:53
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fpeksqr7sxtds7peretgc4x83pb34

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments